CVE-2021-21603 – jenkins: XSS vulnerability in notification bar
https://notcve.org/view.php?id=CVE-2021-21603
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no escapan el contenido de respuesta de la barra de notificaciones, resultando en una vulnerabilidad de tipo cross-site scripting (XSS). A flaw was found in jenkins. A cross-site scripting (XSS) vulnerability is possible due to the contents of the notification bar responses not being properly escaped. The highest threat from this vulnerability is to data confidentiality and integrity. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1889 https://access.redhat.com/security/cve/CVE-2021-21603 https://bugzilla.redhat.com/show_bug.cgi?id=1925160 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-21602 – jenkins: Arbitrary file read vulnerability in workspace browsers
https://notcve.org/view.php?id=CVE-2021-21602
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, permite leer archivos arbitrarios usando el explorador de archivos para espacios de trabajo y artefactos archivados al seguir enlaces simbólicos. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452 https://access.redhat.com/security/cve/CVE-2021-21602 https://bugzilla.redhat.com/show_bug.cgi?id=1925161 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2020-2251
https://notcve.org/view.php?id=CVE-2020-2251
Jenkins SoapUI Pro Functional Testing Plugin 1.5 and earlier transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure. Jenkins SoapUI Pro Functional Testing Plugin versiones 1.5 y anteriores, transmite contraseñas del proyecto dentro de su configuración en texto plano como parte de los formularios de configuración del trabajo, resultando potencialmente en su exposición • http://www.openwall.com/lists/oss-security/2020/09/01/3 https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1631%20%282%29 • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2020-2231 – Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS
https://notcve.org/view.php?id=CVE-2020-2231
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token. Jenkins versiones 2.251 y anteriores, versiones LTS 2.235.3 y anteriores, no escapa la dirección remota del host que inicia una compilación por medio de "Trigger builds remotely", resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado explotables por usuarios con permiso de Trabajo y Configuración o conocimiento del Token de Autenticación A flaw was found in Jenkins versions prior to 2.251 and LTS 2.235.3. The remote address of hosts starting a build via 'Trigger builds remotely' are not properly escaped leading to a potential stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the authentication token. The highest threat from this vulnerability is to data confidentiality and integrity. Jenkins versions 2.251 and below and LTS 2.235.3 and below suffer from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/49244 http://packetstormsecurity.com/files/160616/Jenkins-2.251-LTS-2.235.3-Cross-Site-Scripting.html http://www.openwall.com/lists/oss-security/2020/08/12/4 https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1960 https://access.redhat.com/security/cve/CVE-2020-2231 https://bugzilla.redhat.com/show_bug.cgi?id=1875234 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-2229 – Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-2229
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability. Jenkins versiones 2.251 y anteriores, versiones LTS 2.235.3 y anteriores, no escapan el contenido de tooltip de los iconos de ayuda, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado A flaw was found in Jenkins in versions prior to 2.251 and LTS 2.235.3. Tooltip values, which are not properly escaped, can be contributed by plugins and use user-specified values. This results in a potential stored cross-site scripting (XSS) vulnerability. This highest threat from this vulnerability is to data confidentiality and integrity. • https://www.exploit-db.com/exploits/49232 http://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html http://www.openwall.com/lists/oss-security/2020/08/12/4 https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1955 https://access.redhat.com/security/cve/CVE-2020-2229 https://bugzilla.redhat.com/show_bug.cgi?id=1874830 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •