CVE-2022-20612
- EPSS 1.78%
- Veröffentlicht 12.01.2022 20:15:08
- Zuletzt bearbeitet 21.11.2024 06:43:09
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.
CVE-2021-21686
- EPSS 1.91%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:50
File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.
CVE-2021-21687
- EPSS 1.34%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:50
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.
CVE-2021-21688
- EPSS 1.33%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:50
The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, Fi...
CVE-2021-21689
- EPSS 1.42%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:50
FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
CVE-2021-21690
- EPSS 2.45%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:50
Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
CVE-2021-21691
- EPSS 2.03%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:50
Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
CVE-2021-21692
- EPSS 2.03%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:50
FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.
CVE-2021-21693
- EPSS 1.51%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:50
When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
CVE-2021-21694
- EPSS 1.51%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:50
FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.