Filtered by vendor Jenkins
Subscriptions
Total
1606 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2021-21684 | 2 Jenkins, Redhat | 2 Git, Openshift | 2024-08-03 | 6.1 Medium |
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability. | ||||
CVE-2021-21680 | 1 Jenkins | 1 Nested View | 2024-08-03 | 7.1 High |
Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks. | ||||
CVE-2021-21656 | 1 Jenkins | 1 Xcode Integration | 2024-08-03 | 7.1 High |
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
CVE-2021-21665 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2024-08-03 | 8.8 High |
A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins. | ||||
CVE-2021-21695 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 8.8 High |
FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||||
CVE-2021-21676 | 1 Jenkins | 1 Requests | 2024-08-03 | 4.3 Medium |
Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address. | ||||
CVE-2021-21687 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.1 Critical |
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar. | ||||
CVE-2021-21688 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 7.5 High |
The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo). | ||||
CVE-2021-21674 | 1 Jenkins | 1 Requests | 2024-08-03 | 4.3 Medium |
A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests. | ||||
CVE-2021-21682 | 2 Jenkins, Microsoft | 2 Jenkins, Windows | 2024-08-03 | 4.3 Medium |
Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows. | ||||
CVE-2021-21657 | 1 Jenkins | 1 Filesystem Trigger | 2024-08-03 | 8.8 High |
Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
CVE-2021-21661 | 1 Jenkins | 1 Kubernetes | 2024-08-03 | 4.3 Medium |
Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
CVE-2021-21667 | 1 Jenkins | 1 Scriptler | 2024-08-03 | 5.4 Medium |
Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission. | ||||
CVE-2021-21670 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 4.3 Medium |
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. | ||||
CVE-2021-21691 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.8 Critical |
Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||||
CVE-2021-21689 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.1 Critical |
FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||||
CVE-2021-21677 | 1 Jenkins | 1 Code Coverage Api | 2024-08-03 | 8.8 High |
Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability. | ||||
CVE-2021-21662 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2024-08-03 | 4.3 Medium |
A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. | ||||
CVE-2021-21669 | 1 Jenkins | 1 Generic Webhook Trigger | 2024-08-03 | 9.8 Critical |
Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
CVE-2021-21692 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.8 Critical |
FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'. |