Jenkins

jenkins

Vendor: Jenkins • 259 CVEs

CVEs (259)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-21689 1Jenkins 1Jenkins Nov 21, 2024 Nov 4, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
CVE-2021-21688 1Jenkins 1Jenkins Nov 21, 2024 Nov 4, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain ope...Show more The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo).Show less
CVE-2021-21687 1Jenkins 1Jenkins Nov 21, 2024 Nov 4, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.
CVE-2021-21686 1Jenkins 1Jenkins Nov 21, 2024 Nov 4, 2021 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories...Show more File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.Show less
CVE-2021-21685 1Jenkins 1Jenkins Nov 21, 2024 Nov 4, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.
CVE-2021-21683 1Jenkins 1Jenkins Nov 21, 2024 Oct 6, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission...Show more The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.Show less
CVE-2021-21682 1Jenkins 1Jenkins Nov 21, 2024 Oct 6, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows.
CVE-2021-21671 1Jenkins 1Jenkins Nov 21, 2024 Jun 30, 2021 N/A· v4 7.5 HIGH· v3 5.1 MEDIUM· v2 Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
CVE-2021-21670 1Jenkins 1Jenkins Nov 21, 2024 Jun 30, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
CVE-2021-21640 1Jenkins 1Jenkins Nov 21, 2024 Apr 7, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.
CVE-2021-21639 1Jenkins 1Jenkins Nov 21, 2024 Apr 7, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure...Show more Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.Show less
CVE-2021-28165 4Eclipse JenkinsNetapp+1 more 21Autovue For Agile Product Lifecycle Management Cloud ManagerCommunications Cloud Native Core Policy+18 more Aug 27, 2025 Apr 1, 2021 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVE-2021-21615 1Jenkins 1Jenkins Nov 21, 2024 Jan 26, 2021 N/A· v4 5.3 MEDIUM· v3 3.5 LOW· v2 Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.
CVE-2021-21611 1Jenkins 1Jenkins Nov 21, 2024 Jan 13, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers a...Show more Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.Show less
CVE-2021-21610 1Jenkins 1Jenkins Nov 21, 2024 Jan 13, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS)...Show more Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.Show less
CVE-2021-21609 1Jenkins 1Jenkins Nov 21, 2024 Jan 13, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did hav...Show more Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.Show less
CVE-2021-21608 1Jenkins 1Jenkins Nov 21, 2024 Jan 13, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labe...Show more Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.Show less
CVE-2021-21607 1Jenkins 1Jenkins Nov 21, 2024 Jan 13, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potential...Show more Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.Show less
CVE-2021-21606 1Jenkins 1Jenkins Nov 21, 2024 Jan 13, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short pa...Show more Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.Show less
CVE-2021-21605 1Jenkins 1Jenkins Nov 21, 2024 Jan 13, 2021 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.

Previous 1 2 345...13 Next