Maven package
com.rapid7/jenkinsci-appspider-plugin
pkg:maven/com.rapid7/jenkinsci-appspider-plugin
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-28155 | — | < 1.0.17 | 1.0.17 | Mar 6, 2024 | Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. | ||
| CVE-2023-32999 | — | < 1.0.16 | 1.0.16 | May 16, 2023 | A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. | ||
| CVE-2023-32998 | — | < 1.0.16 | 1.0.16 | May 16, 2023 | A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. | ||
| CVE-2020-2314 | — | < 1.0.13 | 1.0.13 | Nov 4, 2020 | Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. |
- CVE-2024-28155Mar 6, 2024affected < 1.0.17fixed 1.0.17
Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.
- CVE-2023-32999May 16, 2023affected < 1.0.16fixed 1.0.16
A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.
- CVE-2023-32998May 16, 2023affected < 1.0.16fixed 1.0.16
A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.
- CVE-2020-2314Nov 4, 2020affected < 1.0.13fixed 1.0.13
Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.