Maven package
org.jenkins-ci.plugins.m2release/m2release
pkg:maven/org.jenkins-ci.plugins.m2release/m2release
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-16550 | Hig | 8.8 | < 0.16.2 | 0.16.2 | Dec 17, 2019 | A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents. | |
| CVE-2019-16549 | Hig | 8.1 | < 0.16.2 | 0.16.2 | Dec 17, 2019 | Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents. | |
| CVE-2019-10361 | Med | 5.5 | < 0.15.0 | 0.15.0 | Jul 31, 2019 | Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system. | |
| CVE-2019-10360 | Med | 5.4 | < 0.15.0 | 0.15.0 | Jul 31, 2019 | A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. | |
| CVE-2019-10359 | Med | 6.3 | < 0.15.0 | 0.15.0 | Jul 31, 2019 | A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options. |
- affected < 0.16.2fixed 0.16.2
A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.
- affected < 0.16.2fixed 0.16.2
Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents.
- affected < 0.15.0fixed 0.15.0
Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.
- affected < 0.15.0fixed 0.15.0
A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
- affected < 0.15.0fixed 0.15.0
A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.