βΌ CVE-2022-39301 βΌ
π Read
via "National Vulnerability Database".
sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting (XSS) vulnerability. After logging into the sra-admin background, an attacker can upload an html page containing xss attack code in "Personal Center" - "Profile Picture Upload" allowing theft of the user's personal information. This issue has been patched in 1.1.2. There are no known workarounds.π Read
via "National Vulnerability Database".
π΄ Kaspersky Launches New VPN to Amplify Speed and Convenience π΄
π Read
via "Dark Reading".
New version boosts VPN tunnel performance and lets users prioritize secure connection traffic for certain services.π Read
via "Dark Reading".
Dark Reading
Kaspersky Launches New VPN to Amplify Speed and Convenience
New version boosts VPN tunnel performance and lets users prioritize secure connection traffic for certain services.
π΄ Zscaler Advances Enterprise Data Security With Zero-Configuration Data Protection π΄
π Read
via "Dark Reading".
New data-protection innovations mitigate security risks by expediting deployment cycles and simplifying operational complexity.π Read
via "Dark Reading".
Dark Reading
Zscaler Advances Enterprise Data Security With Zero-Configuration Data Protection
New data-protection innovations mitigate security risks by expediting deployment cycles and simplifying operational complexity.
β Women in Cryptology β USPS celebrates WW2 codebreakers β
π Read
via "Naked Security".
What did you do in the war, Mom? Oh, y'know, a bit of this and that...π Read
via "Naked Security".
Naked Security
Women in Cryptology β USPS celebrates WW2 codebreakers
What did you do in the war, Mom? Oh, yβknow, a bit of this and thatβ¦
π1
π΄ SBOMs: An Overhyped Concept That Won't Secure Your Software Supply Chain π΄
π Read
via "Dark Reading".
We need more than the incomplete snapshot SBOMs provide to have real impact.π Read
via "Dark Reading".
Dark Reading
SBOMs: An Overhyped Concept That Won't Secure Your Software Supply Chain
We need more than the incomplete snapshot SBOMs provide to have real impact.
π1
βΌ CVE-2022-43428 βΌ
π Read
via "National Vulnerability Database".
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43433 βΌ
π Read
via "National Vulnerability Database".
Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43409 βΌ
π Read
via "National Vulnerability Database".
Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43419 βΌ
π Read
via "National Vulnerability Database".
Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43420 βΌ
π Read
via "National Vulnerability Database".
Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43434 βΌ
π Read
via "National Vulnerability Database".
Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43435 βΌ
π Read
via "National Vulnerability Database".
Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43426 βΌ
π Read
via "National Vulnerability Database".
Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43430 βΌ
π Read
via "National Vulnerability Database".
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43408 βΌ
π Read
via "National Vulnerability Database".
Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43418 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43422 βΌ
π Read
via "National Vulnerability Database".
Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43427 βΌ
π Read
via "National Vulnerability Database".
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43414 βΌ
π Read
via "National Vulnerability Database".
Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43413 βΌ
π Read
via "National Vulnerability Database".
Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43407 βΌ
π Read
via "National Vulnerability Database".
Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with.π Read
via "National Vulnerability Database".