Page 16 of 265 results (0.014 seconds)

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition. Jenkins versiones 2.275 y LTS 2.263.2, permiten leer archivos arbitrarios usando el explorador de archivos para espacios de trabajo y artefactos archivados debido a una condición de carrera de tipo time-of-check a time-of-use (TOCTOU) • http://www.openwall.com/lists/oss-security/2021/01/26/2 https://www.jenkins.io/security/advisory/2021-01-26/#SECURITY-2197 https://access.redhat.com/security/cve/CVE-2021-21615 https://bugzilla.redhat.com/show_bug.cgi?id=1921322 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types. Jenkins versiones 2.274 y anteriores, LTS 2.263.1 y anteriores, no escapan los nombres a mostrar y los ID de los tipos de elementos que se muestran en la página New Item, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado explotable por unos atacantes capaces de especificar nombres a mostrar o ID de tipos de elementos. A flaw was found in jenkins. A cross-site scripting (XSS) vulnerability is possible due to display names and IDs of item types shown on the New Item page not being properly escaped. The highest threat from this vulnerability is to data confidentiality and integrity. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2171 https://access.redhat.com/security/cve/CVE-2021-21611 https://bugzilla.redhat.com/show_bug.cgi?id=1925145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no implementan ninguna restricción para la URL que presenta una vista previa formateada del marcado pasado como un parámetro de consulta, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) reflejada si el formateador de marcado configurado no prohíbe elementos no seguros (JavaScript) en el marcado. A flaw was found in jenkins. A cross-site scripting (XSS) vulnerability is possible due to the lack of restrictions in URL rendering in the formatted previews of markup passed as a query parameter if the configured markup formatter does not prohibit unsafe elements in the markup. The highest threat from this vulnerability is to data confidentiality and integrity. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2153 https://access.redhat.com/security/cve/CVE-2021-21610 https://bugzilla.redhat.com/show_bug.cgi?id=1925151 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no hacen coincidir correctamente unas URL pedidas con la lista de rutas siempre accesibles, permitiendo a atacantes sin permiso general y de lectura acceder a algunas URL como si tuvieran permiso general y de lectura. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047 https://access.redhat.com/security/cve/CVE-2021-21609 https://bugzilla.redhat.com/show_bug.cgi?id=1925141 • CWE-863: Incorrect Authorization •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no limitan tamaños proporcionados como parámetros de consulta hacia unas URL de representación de gráficos, permitiendo a atacantes pedir URL diseñadas que usan toda la memoria disponible en Jenkins, conllevando potencialmente a unos errores de memoria insuficiente. • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2025 https://access.redhat.com/security/cve/CVE-2021-21607 https://bugzilla.redhat.com/show_bug.cgi?id=1925156 • CWE-770: Allocation of Resources Without Limits or Throttling •