CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21640 – jenkins: view name validation bypass
https://notcve.org/view.php?id=CVE-2021-21640
07 Apr 2021 — Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names. Jenkins 2.286 y versiones anteriores, LTS versiones 2.277.1 y anteriores, no comprueban apropiadamente a una visualización recién diseñada tener un nombre permitido, permitiendo a atacantes con permiso de View/Create crear visualizaciones con nombres no válidos o ya usados A flaw was found ... • http://www.openwall.com/lists/oss-security/2021/04/07/2 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21639 – jenkins: lack of type validation in agent related REST API
https://notcve.org/view.php?id=CVE-2021-21639
07 Apr 2021 — Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type. Jenkins versiones 2.286 y anteriores, LTS versiones 2.277.1 y anteriores, no comprueba el tipo de objeto diseñado después de cargar los datos enviados al endpoint de la API REST "config.xml" de un nodo, permitiendo a atacantes con p... • http://www.openwall.com/lists/oss-security/2021/04/07/2 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 13%CPEs: 24EXPL: 3CVE-2021-28165 – jetty: Resource exhaustion when receiving an invalid large TLS frame
https://notcve.org/view.php?id=CVE-2021-28165
01 Apr 2021 — In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. En Eclipse Jetty versiones 7.2.2 hasta 9.4.38, versiones 10.0.0.alpha0 hasta 10.0.1 y versiones 11.0.0.alpha0 hasta 11.0.1, el uso de CPU puede alcanzar el 100% al recibir una gran trama TLS no válida. When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is i... • https://github.com/uthrasri/CVE-2021-28165 • CWE-400: Uncontrolled Resource Consumption CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21615 – jenkins: Filesystem traversal by privileged users
https://notcve.org/view.php?id=CVE-2021-21615
26 Jan 2021 — Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition. Jenkins versiones 2.275 y LTS 2.263.2, permiten leer archivos arbitrarios usando el explorador de archivos para espacios de trabajo y artefactos archivados debido a una condición de carrera de tipo time-of-check a time-of-use (TOCTOU) Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application pla... • http://www.openwall.com/lists/oss-security/2021/01/26/2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21610 – jenkins: Reflected XSS vulnerability in markup formatter preview
https://notcve.org/view.php?id=CVE-2021-21610
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no implementan ninguna restricción para la URL que presenta una vista previa formateada del marcado pasado como... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2153 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21611 – jenkins: Stored XSS vulnerability on new item page
https://notcve.org/view.php?id=CVE-2021-21611
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types. Jenkins versiones 2.274 y anteriores, LTS 2.263.1 y anteriores, no escapan los nombres a mostrar y los ID de los tipos de elementos que se muestran en la página New Item, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) al... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2171 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21609 – jenkins: Missing permission check for paths with specific prefix
https://notcve.org/view.php?id=CVE-2021-21609
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no hacen coincidir correctamente unas URL pedidas con la lista de rutas siempre accesibles, permitiendo a atacantes sin permiso general y de lectura acceder a algunas URL como si tuvieran per... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21607 – jenkins: Excessive memory allocation in graph URLs leads to denial of service
https://notcve.org/view.php?id=CVE-2021-21607
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no limitan tamaños proporcionados como parámetros de consulta hacia unas URL de representación de gráficos, permitiendo a atacantes pedir URL diseñadas que usan toda la memoria dispo... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2025 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21608 – jenkins: Stored XSS vulnerability in button labels
https://notcve.org/view.php?id=CVE-2021-21608
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no escapan las etiquetas de los botones en la Interfaz de Usuario de Jenkins, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) explotable por unos atacantes con la habilidad de controlar unas eti... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21605 – jenkins: Path traversal vulnerability in agent names
https://notcve.org/view.php?id=CVE-2021-21605
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, permite a usuarios con permiso Agent/Configure elegir nombres de agente que causa que Jenkins anule el archivo global "config.xml". A flaw was found in jenkins. Users with Agent/Configure permissions can choose agent names that cause an override to the global... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2021 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •