Filtered by vendor Jenkins
Subscribe
Total
1395 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23108 | 1 Jenkins | 1 Badge | 2022-01-18 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-23106 | 1 Jenkins | 1 Configuration As Code | 2022-01-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token. | |||||
| CVE-2022-23105 | 1 Jenkins | 1 Active Directory | 2022-01-18 | 2.9 LOW | 6.5 MEDIUM |
| Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations. | |||||
| CVE-2022-20621 | 1 Jenkins | 1 Metrics | 2022-01-18 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-20617 | 1 Jenkins | 1 Docker Commons | 2022-01-18 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM repository. | |||||
| CVE-2021-21700 | 1 Jenkins | 1 Scriptler | 2021-11-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts. | |||||
| CVE-2021-21699 | 1 Jenkins | 1 Active Choices | 2021-11-16 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2021-21701 | 1 Jenkins | 1 Performance | 2021-11-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-43576 | 1 Jenkins | 1 Pom2config | 2021-11-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | |||||
| CVE-2021-43577 | 1 Jenkins | 1 Owasp Dependency-check | 2021-11-16 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-43578 | 1 Jenkins | 1 Squash Tm Publisher | 2021-11-16 | 5.5 MEDIUM | 8.1 HIGH |
| Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string. | |||||
| CVE-2021-21691 | 1 Jenkins | 1 Jenkins | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | |||||
| CVE-2021-21692 | 1 Jenkins | 1 Jenkins | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'. | |||||
| CVE-2021-21694 | 1 Jenkins | 1 Jenkins | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | |||||
| CVE-2021-21690 | 1 Jenkins | 1 Jenkins | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | |||||
| CVE-2021-21698 | 1 Jenkins | 1 Subversion | 2021-11-08 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent. | |||||
| CVE-2021-21697 | 1 Jenkins | 1 Jenkins | 2021-11-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. | |||||
| CVE-2021-21696 | 1 Jenkins | 1 Jenkins | 2021-11-08 | 7.5 HIGH | 9.8 CRITICAL |
| Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process. | |||||
| CVE-2021-21687 | 1 Jenkins | 1 Jenkins | 2021-11-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar. | |||||
| CVE-2021-21686 | 1 Jenkins | 1 Jenkins | 2021-11-08 | 5.8 MEDIUM | 8.1 HIGH |
| File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. | |||||