Filtered by vendor Jenkins
Subscribe
Total
1395 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21656 | 1 Jenkins | 1 Xcode Integration | 2021-05-19 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21654 | 1 Jenkins | 1 P4 | 2021-05-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password. | |||||
| CVE-2021-21650 | 1 Jenkins | 1 S3 Publisher | 2021-05-19 | 3.5 LOW | 4.3 MEDIUM |
| Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled. | |||||
| CVE-2021-21651 | 1 Jenkins | 1 S3 Publisher | 2021-05-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles. | |||||
| CVE-2021-21649 | 1 Jenkins | 1 Dashboard View | 2021-05-14 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission. | |||||
| CVE-2021-21648 | 1 Jenkins | 1 Credentials | 2021-05-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2021-21645 | 1 Jenkins | 1 Config File Provider | 2021-04-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs. | |||||
| CVE-2021-21644 | 1 Jenkins | 1 Config File Provider | 2021-04-26 | 5.8 MEDIUM | 5.4 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID. | |||||
| CVE-2021-21646 | 1 Jenkins | 1 Templating Engine | 2021-04-26 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. | |||||
| CVE-2021-21647 | 1 Jenkins | 1 Cloudbees Cd | 2021-04-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. | |||||
| CVE-2021-21643 | 1 Jenkins | 1 Config File Provider | 2021-04-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2021-21642 | 1 Jenkins | 1 Config File Provider | 2021-04-23 | 5.5 MEDIUM | 8.1 HIGH |
| Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2021-21639 | 1 Jenkins | 1 Jenkins | 2021-04-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type. | |||||
| CVE-2021-21640 | 1 Jenkins | 1 Jenkins | 2021-04-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names. | |||||
| CVE-2021-21641 | 1 Jenkins | 1 Promoted Builds | 2021-04-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds. | |||||
| CVE-2021-21637 | 1 Jenkins | 1 Team Foundation Server | 2021-04-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2021-21636 | 1 Jenkins | 1 Team Foundation Server | 2021-04-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2021-21635 | 1 Jenkins | 1 Rest List Parameter | 2021-04-05 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2021-21638 | 1 Jenkins | 1 Team Foundation Server | 2021-04-02 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2021-21630 | 1 Jenkins | 1 Extra Columns | 2021-04-02 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||