Page 12 of 62 results (0.026 seconds)

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no limitan tamaños proporcionados como parámetros de consulta hacia unas URL de representación de gráficos, permitiendo a atacantes pedir URL diseñadas que usan toda la memoria disponible en Jenkins, conllevando potencialmente a unos errores de memoria insuficiente. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2025 https://access.redhat.com/security/cve/CVE-2021-21607 https://bugzilla.redhat.com/show_bug.cgi?id=1925156 • CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no escapan las etiquetas de los botones en la Interfaz de Usuario de Jenkins, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) explotable por unos atacantes con la habilidad de controlar unas etiquetas de unos botones. A flaw was found in jenkins. A cross-site scripting (XSS) vulnerability, due to the button labels not being properly escaped, can allow an attacker to control button labels. The highest threat from this vulnerability is to data confidentiality and integrity. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035 https://access.redhat.com/security/cve/CVE-2021-21608 https://bugzilla.redhat.com/show_bug.cgi?id=1925140 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, permite a usuarios con permiso Agent/Configure elegir nombres de agente que causa que Jenkins anule el archivo global "config.xml". A flaw was found in jenkins. Users with Agent/Configure permissions can choose agent names that cause an override to the global `config.xml` file. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2021 https://access.redhat.com/security/cve/CVE-2021-21605 https://bugzilla.redhat.com/show_bug.cgi?id=1925143 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, comprueban inapropiadamente el formato de una identificación de huella digital proporcionada al comprobar su existencia, permitiendo a un atacante comprobar la existencia de archivos XML con una ruta corta. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2023 https://access.redhat.com/security/cve/CVE-2021-21606 https://bugzilla.redhat.com/show_bug.cgi?id=1925159 • CWE-20: Improper Input Validation •

CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, permite a atacantes con permiso para crear o configurar varios objetos para inyectar contenido diseñado en Old Data Monitor que resulta en la instanciación de objetos potencialmente no seguros una vez que son descartados por un administrador. A flaw was found in jenkins. An attacker with permission to create or configure various objects to inject crafted content into Old Data Monitor can cause the instantiation of potentially unsafe objects once discarded by an administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923 https://access.redhat.com/security/cve/CVE-2021-21604 https://bugzilla.redhat.com/show_bug.cgi?id=1925157 • CWE-502: Deserialization of Untrusted Data •