Filtered by vendor Redhat
Subscriptions
Total
21501 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-21623 | 2 Jenkins, Redhat | 2 Matrix Authorization Strategy, Openshift | 2024-11-21 | 6.5 Medium |
| An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders. | ||||
| CVE-2021-21615 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 5.3 Medium |
| Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition. | ||||
| CVE-2021-21611 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 5.4 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types. | ||||
| CVE-2021-21610 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 6.1 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup. | ||||
| CVE-2021-21609 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 5.3 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission. | ||||
| CVE-2021-21608 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 5.4 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels. | ||||
| CVE-2021-21607 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 6.5 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors. | ||||
| CVE-2021-21606 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 4.3 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path. | ||||
| CVE-2021-21605 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 8.0 High |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file. | ||||
| CVE-2021-21604 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 8.0 High |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator. | ||||
| CVE-2021-21603 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 5.4 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability. | ||||
| CVE-2021-21602 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 6.5 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks. | ||||
| CVE-2021-21419 | 3 Eventlet, Fedoraproject, Redhat | 4 Eventlet, Fedora, Openshift and 1 more | 2024-11-21 | 5.3 Medium |
| Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process. | ||||
| CVE-2021-21409 | 6 Debian, Netapp, Netty and 3 more | 29 Debian Linux, Oncommand Api Services, Oncommand Workflow Automation and 26 more | 2024-11-21 | 5.9 Medium |
| Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. | ||||
| CVE-2021-21381 | 4 Debian, Fedoraproject, Flatpak and 1 more | 5 Debian Linux, Fedora, Flatpak and 2 more | 2024-11-21 | 7.1 High |
| Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`. | ||||
| CVE-2021-21351 | 5 Debian, Fedoraproject, Oracle and 2 more | 19 Debian Linux, Fedora, Banking Enterprise Default Management and 16 more | 2024-11-21 | 5.4 Medium |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | ||||
| CVE-2021-21350 | 5 Debian, Fedoraproject, Oracle and 2 more | 20 Debian Linux, Fedora, Banking Enterprise Default Management and 17 more | 2024-11-21 | 5.3 Medium |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | ||||
| CVE-2021-21349 | 5 Debian, Fedoraproject, Oracle and 2 more | 20 Debian Linux, Fedora, Banking Enterprise Default Management and 17 more | 2024-11-21 | 6.1 Medium |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | ||||
| CVE-2021-21348 | 5 Debian, Fedoraproject, Oracle and 2 more | 19 Debian Linux, Fedora, Banking Enterprise Default Management and 16 more | 2024-11-21 | 5.3 Medium |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | ||||
| CVE-2021-21347 | 5 Debian, Fedoraproject, Oracle and 2 more | 20 Debian Linux, Fedora, Banking Enterprise Default Management and 17 more | 2024-11-21 | 6.1 Medium |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | ||||