CVE-2021-21682
https://notcve.org/view.php?id=CVE-2021-21682
Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows. Jenkins versiones 2.314 y anteriores, LTS versiones 2.303.1 y anteriores, aceptan nombres de trabajos y otras entidades con un carácter de punto al final, reemplazando potencialmente la configuración y los datos de otras entidades en Windows • http://www.openwall.com/lists/oss-security/2021/10/06/1 https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2424 •
CVE-2021-21671 – jenkins: session fixation vulnerability
https://notcve.org/view.php?id=CVE-2021-21671
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. Jenkins versiones 2.299 y anteriores, versiones LTS 2.289.1 y anteriores no invalidan la sesión anterior al iniciar sesión Session fixation vulnerability was found in Jenkins. The existing session on login process are not invalidated and this allows an attacker to gain potentially additional access on Jenkins by using social engineering attack techniques on a target user. • http://www.openwall.com/lists/oss-security/2021/06/30/1 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371 https://access.redhat.com/security/cve/CVE-2021-21671 https://bugzilla.redhat.com/show_bug.cgi?id=2007750 • CWE-384: Session Fixation •
CVE-2021-21670 – jenkins: improper permission checks allow canceling queue items and aborting builds
https://notcve.org/view.php?id=CVE-2021-21670
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins versiones 2.299 y anteriores, versiones LTS 2.289.1 y anteriores, permiten a usuarios cancelar elementos de la cola y abortar construcciones de trabajos para los que tienen permiso de Elemento/Cancelación incluso cuando no tienen permiso de Elemento/Lectura Incorrect Authorization vulnerability was found in Jenkins. Users with Item/Cancel permission are able to cancel queue items and abort builds of jobs even when they do not have Item/Read permission. • http://www.openwall.com/lists/oss-security/2021/06/30/1 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278 https://access.redhat.com/security/cve/CVE-2021-21670 https://bugzilla.redhat.com/show_bug.cgi?id=2007749 • CWE-863: Incorrect Authorization •
CVE-2021-21640 – jenkins: view name validation bypass
https://notcve.org/view.php?id=CVE-2021-21640
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names. Jenkins 2.286 y versiones anteriores, LTS versiones 2.277.1 y anteriores, no comprueban apropiadamente a una visualización recién diseñada tener un nombre permitido, permitiendo a atacantes con permiso de View/Create crear visualizaciones con nombres no válidos o ya usados A flaw was found in Jenkins. Due to lack of validation of the newly created view name, an attackers with View/Create permission are allowed to create views with invalid or already-used names. • http://www.openwall.com/lists/oss-security/2021/04/07/2 https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1871 https://access.redhat.com/security/cve/CVE-2021-21640 https://bugzilla.redhat.com/show_bug.cgi?id=1947105 • CWE-20: Improper Input Validation •
CVE-2021-21639 – jenkins: lack of type validation in agent related REST API
https://notcve.org/view.php?id=CVE-2021-21639
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type. Jenkins versiones 2.286 y anteriores, LTS versiones 2.277.1 y anteriores, no comprueba el tipo de objeto diseñado después de cargar los datos enviados al endpoint de la API REST "config.xml" de un nodo, permitiendo a atacantes con permiso Computer/Configure reemplazar un nodo con uno de un tipo diferente A flaw was found in Jenkins. Due to lack of validation of type of object created after loading the data submitted to the config.xml REST API endpoint of a node, an attackers with Computer/Configure permission are able to replace a node with one of a different type. • http://www.openwall.com/lists/oss-security/2021/04/07/2 https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1721 https://access.redhat.com/security/cve/CVE-2021-21639 https://bugzilla.redhat.com/show_bug.cgi?id=1947102 • CWE-20: Improper Input Validation •