Jenkins Crx Content Package Deployer vulnerabilities

CVE-2022-34184 [MEDIUM] CWE-79 CVE-2022-34184: Jenkins CRX Content Package Deployer Plugin 1.9 and earlier does not escape the name and description Jenkins CRX Content Package Deployer Plugin 1.9 and earlier does not escape the name and description of CRX Content Package Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2019-10437 [HIGH] CWE-352 CVE-2019-10437: A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2019-10439 [MEDIUM] CWE-862 CVE-2019-10439: A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier in vario A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier in various 'doFillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

CVE-2019-10438 [MEDIUM] CWE-862 CVE-2019-10438: A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.