Filtered by vendor Jenkins
Subscriptions
Total
1606 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-2096 | 1 Jenkins | 1 Gitlab Hook | 2024-08-04 | 6.1 Medium |
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability. | ||||
CVE-2020-2091 | 1 Jenkins | 1 Amazon Ec2 | 2024-08-04 | 8.1 High |
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. | ||||
CVE-2021-43576 | 1 Jenkins | 1 Pom2config | 2024-08-04 | 6.5 Medium |
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | ||||
CVE-2021-43578 | 1 Jenkins | 1 Squash Tm Publisher | 2024-08-04 | 8.1 High |
Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string. | ||||
CVE-2021-43577 | 1 Jenkins | 1 Owasp Dependency-check | 2024-08-04 | 7.1 High |
Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
CVE-2021-28165 | 5 Eclipse, Jenkins, Netapp and 2 more | 28 Jetty, Jenkins, Cloud Manager and 25 more | 2024-08-03 | 7.5 High |
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | ||||
CVE-2021-21699 | 1 Jenkins | 1 Active Choices | 2024-08-03 | 5.4 Medium |
Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | ||||
CVE-2021-21685 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.1 Critical |
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs. | ||||
CVE-2021-21701 | 1 Jenkins | 1 Performance | 2024-08-03 | 6.5 Medium |
Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
CVE-2021-21693 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.8 Critical |
When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||||
CVE-2021-21696 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.8 Critical |
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process. | ||||
CVE-2021-21686 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 8.1 High |
File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. | ||||
CVE-2021-21694 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.8 Critical |
FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||||
CVE-2021-21681 | 1 Jenkins | 1 Nomad | 2024-08-03 | 5.5 Medium |
Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | ||||
CVE-2021-21673 | 1 Jenkins | 1 Cas | 2024-08-03 | 6.1 Medium |
Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks. | ||||
CVE-2021-21679 | 1 Jenkins | 1 Azure Ad | 2024-08-03 | 8.8 High |
Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | ||||
CVE-2021-21700 | 1 Jenkins | 1 Scriptler | 2024-08-03 | 5.4 Medium |
Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts. | ||||
CVE-2021-21678 | 1 Jenkins | 1 Saml | 2024-08-03 | 8.8 High |
Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | ||||
CVE-2021-21697 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.1 Critical |
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. | ||||
CVE-2021-21683 | 2 Jenkins, Microsoft | 2 Jenkins, Windows | 2024-08-03 | 6.5 Medium |
The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files. |