Filtered by vendor Redhat
Subscriptions
Total
21359 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-21670 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 4.3 Medium |
| Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. | ||||
| CVE-2021-21691 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.8 Critical |
| Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||||
| CVE-2021-21689 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.1 Critical |
| FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||||
| CVE-2021-21692 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.8 Critical |
| FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'. | ||||
| CVE-2021-21690 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 9.8 Critical |
| Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||||
| CVE-2021-21698 | 2 Jenkins, Redhat | 2 Subversion, Openshift | 2024-08-03 | 7.5 High |
| Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent. | ||||
| CVE-2021-21671 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 7.5 High |
| Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. | ||||
| CVE-2021-21648 | 2 Jenkins, Redhat | 2 Credentials, Openshift | 2024-08-03 | 6.1 Medium |
| Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability. | ||||
| CVE-2021-21639 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 4.3 Medium |
| Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type. | ||||
| CVE-2021-21643 | 2 Jenkins, Redhat | 3 Config File Provider, Openshift, Rhmt | 2024-08-03 | 6.5 Medium |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2021-21642 | 2 Jenkins, Redhat | 3 Config File Provider, Openshift, Rhmt | 2024-08-03 | 8.1 High |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2021-21623 | 2 Jenkins, Redhat | 2 Matrix Authorization Strategy, Openshift | 2024-08-03 | 6.5 Medium |
| An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders. | ||||
| CVE-2021-21645 | 2 Jenkins, Redhat | 3 Config File Provider, Openshift, Rhmt | 2024-08-03 | 4.3 Medium |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs. | ||||
| CVE-2021-21640 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 4.3 Medium |
| Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names. | ||||
| CVE-2021-21607 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 6.5 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors. | ||||
| CVE-2021-21644 | 2 Jenkins, Redhat | 3 Config File Provider, Openshift, Rhmt | 2024-08-03 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID. | ||||
| CVE-2021-21615 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 5.3 Medium |
| Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition. | ||||
| CVE-2021-21609 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 5.3 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission. | ||||
| CVE-2021-21611 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 5.4 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types. | ||||
| CVE-2021-21602 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-03 | 6.5 Medium |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks. | ||||