VYPR

Maven package

org.jenkins-ci.main/jenkins-core

pkg:maven/org.jenkins-ci.main/jenkins-core

Vulnerabilities (249)

  • CVE-2021-21683MedOct 6, 2021
    affected < 2.303.2fixed 2.303.2

    The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows a

  • CVE-2021-21682MedOct 6, 2021
    affected >= 2.304, < 2.315fixed 2.315

    Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows.

  • CVE-2021-21671HigJun 30, 2021
    affected >= 2.292, < 2.300fixed 2.300

    Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.

  • CVE-2021-21670MedJun 30, 2021
    affected < 2.289.2fixed 2.289.2

    Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

  • CVE-2021-21640MedApr 7, 2021
    affected < 2.277.2fixed 2.277.2

    Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.

  • CVE-2021-21639MedApr 7, 2021
    affected < 2.277.2fixed 2.277.2

    Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.

  • CVE-2021-21615MedJan 26, 2021
    affected < 2.263.3fixed 2.263.3

    Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.

  • CVE-2021-21611MedJan 13, 2021
    affected < 2.263.2fixed 2.263.2

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

  • CVE-2021-21610MedJan 13, 2021
    affected < 2.263.2fixed 2.263.2

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not pr

  • CVE-2021-21609MedJan 13, 2021
    affected < 2.263.2fixed 2.263.2

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.

  • CVE-2021-21608MedJan 13, 2021
    affected < 2.275fixed 2.275

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.

  • CVE-2021-21607MedJan 13, 2021
    affected < 2.263.2fixed 2.263.2

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.

  • CVE-2021-21606MedJan 13, 2021
    affected < 2.263.2fixed 2.263.2

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.

  • CVE-2021-21605HigJan 13, 2021
    affected < 2.263.2fixed 2.263.2

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.

  • CVE-2021-21604HigJan 13, 2021
    affected < 2.263.2fixed 2.263.2

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

  • CVE-2021-21603MedJan 13, 2021
    affected < 2.275fixed 2.275

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.

  • CVE-2021-21602MedJan 13, 2021
    affected < 2.263.2fixed 2.263.2

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.

  • CVE-2020-2231MedAug 12, 2020
    affected < 2.235.4fixed 2.235.4

    Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the

  • CVE-2020-2230MedAug 12, 2020
    affected < 2.235.4fixed 2.235.4

    Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.

  • CVE-2020-2229MedAug 12, 2020
    affected < 2.235.4fixed 2.235.4

    Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.

Page 4 of 13