Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
CVE-2023-28684 CVSS:7.1
Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.
CVE-2023-28683 CVSS:7.1
Jenkins Phabricator Differential Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.
CVE-2023-28682 CVSS:7.1
Jenkins Performance Publisher Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.
CVE-2023-28681 CVSS:7.1
Jenkins Crap4J Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.
CVE-2023-28680 CVSS:8
Jenkins Mashup Portlets Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-28679 CVSS:8
Jenkins Mashup Portlets Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-28678 CVSS:8
Jenkins Cppcheck Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-28677 CVSS:8
Jenkins Convert To Pipeline Plugin could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a command injection flaw. By using a specially crafted configuration that injects Pipeline script, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-28676 CVSS:8.8
Jenkins Convert To Pipeline Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to create a Pipeline based on a Freestyle project. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2023-28675 CVSS:4.3
Jenkins Convert To Pipeline Plugin could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a command injection flaw. By using a specially crafted configuration that injects Pipeline script, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-28674 CVSS:4.3
Jenkins OctoPerf Load Testing Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to connect to a previously configured Octoperf server. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2023-28673 CVSS:4.3
Jenkins OctoPerf Load Testing Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper permission check in an HTTP endpoint. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to enumerate credentials IDs, and use this information to launch further attacks against the affected system.
CVE-2023-28672 CVSS:7.1
Jenkins OctoPerf Load Testing Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission check in a connection test HTTP endpoint. By sending a specially crafted request, an attacker could exploit this vulnerability to connect to an attacker-specified URL.
CVE-2023-28671 CVSS:4.3
Jenkins OctoPerf Load Testing Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to connect to an attacker-specified URL. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2023-28670 CVSS:8
Jenkins Pipeline Aggregator View Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-28669 CVSS:8
Jenkins JaCoCo Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-28668 CVSS:5.9
Jenkins Role-based Authorization Strategy Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to grant permissions even after permissions have been disabled.
Jenkins
Refer to Jenkins Security Advisory for patch, upgrade or suggested workaround information.