Jenkins Github vulnerabilities

CVE-2023-46650 [MEDIUM] CWE-79 CVE-2023-46650: Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page wh Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-36885 [MEDIUM] CWE-203 CVE-2022-36885: Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.

CVE-2018-1000600 [HIGH] CWE-200 CVE-2018-1000600: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2018-1000184 [MEDIUM] CWE-918 CVE-2018-1000184: A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitH A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.

CVE-2018-1000183 [MEDIUM] CWE-200 CVE-2018-1000183: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older i A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.