CVE-2021-21695
- EPSS 2.08%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:51
FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
CVE-2021-21696
- EPSS 2.32%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:51
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted ...
CVE-2021-21697
- EPSS 1.55%
- Veröffentlicht 04.11.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:51
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.
CVE-2021-21685
- EPSS 1.47%
- Veröffentlicht 04.11.2021 17:15:07
- Zuletzt bearbeitet 21.11.2024 05:48:49
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.
CVE-2021-21682
- EPSS 0.97%
- Veröffentlicht 06.10.2021 23:15:06
- Zuletzt bearbeitet 21.11.2024 05:48:49
Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows.
CVE-2021-21683
- EPSS 2.1%
- Veröffentlicht 06.10.2021 23:15:06
- Zuletzt bearbeitet 21.11.2024 05:48:49
The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/W...
CVE-2021-21670
- EPSS 1.98%
- Veröffentlicht 30.06.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:48
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
CVE-2021-21671
- EPSS 1.71%
- Veröffentlicht 30.06.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:48
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
CVE-2021-21640
- EPSS 1.91%
- Veröffentlicht 07.04.2021 14:15:17
- Zuletzt bearbeitet 21.11.2024 05:48:45
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.
CVE-2021-21639
- EPSS 2.73%
- Veröffentlicht 07.04.2021 14:15:16
- Zuletzt bearbeitet 21.11.2024 05:48:44
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node ...