CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21673
https://notcve.org/view.php?id=CVE-2021-21673
Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks. Jenkins CAS Plugin versiones 1.6.0 y anteriores determina inapropiadamente que una URL de redireccionamiento después del inicio de sesión está apuntando legítimamente a Jenkins, permitiendo a atacantes llevar a cabo ataques de phishing • http://www.openwall.com/lists/oss-security/2021/06/30/1 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2387 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21672
https://notcve.org/view.php?id=CVE-2021-21672
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Jenkins Selenium HTML report Plugin versiones 1.0 y anteriores no configura su analizador XML para prevenir ataques de tipo XML external entity (XXE) • http://www.openwall.com/lists/oss-security/2021/06/30/1 http://www.openwall.com/lists/oss-security/2022/04/14/2 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2329 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21671 – jenkins: session fixation vulnerability
https://notcve.org/view.php?id=CVE-2021-21671
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. Jenkins versiones 2.299 y anteriores, versiones LTS 2.289.1 y anteriores no invalidan la sesión anterior al iniciar sesión Session fixation vulnerability was found in Jenkins. The existing session on login process are not invalidated and this allows an attacker to gain potentially additional access on Jenkins by using social engineering attack techniques on a target user. • http://www.openwall.com/lists/oss-security/2021/06/30/1 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371 https://access.redhat.com/security/cve/CVE-2021-21671 https://bugzilla.redhat.com/show_bug.cgi?id=2007750 • CWE-384: Session Fixation •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21670 – jenkins: improper permission checks allow canceling queue items and aborting builds
https://notcve.org/view.php?id=CVE-2021-21670
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins versiones 2.299 y anteriores, versiones LTS 2.289.1 y anteriores, permiten a usuarios cancelar elementos de la cola y abortar construcciones de trabajos para los que tienen permiso de Elemento/Cancelación incluso cuando no tienen permiso de Elemento/Lectura Incorrect Authorization vulnerability was found in Jenkins. Users with Item/Cancel permission are able to cancel queue items and abort builds of jobs even when they do not have Item/Read permission. • http://www.openwall.com/lists/oss-security/2021/06/30/1 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278 https://access.redhat.com/security/cve/CVE-2021-21670 https://bugzilla.redhat.com/show_bug.cgi?id=2007749 • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21669
https://notcve.org/view.php?id=CVE-2021-21669
Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. El Jenkins Generic Webhook Trigger Plugin versión 1.72 y anteriores, no configura su analizador XML para prevenir ataques de tipo XML external entity (XXE) • http://www.openwall.com/lists/oss-security/2021/06/18/1 https://www.jenkins.io/security/advisory/2021-06-18/#SECURITY-2330 •