CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21610 – jenkins: Reflected XSS vulnerability in markup formatter preview
https://notcve.org/view.php?id=CVE-2021-21610
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no implementan ninguna restricción para la URL que presenta una vista previa formateada del marcado pasado como... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2153 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21611 – jenkins: Stored XSS vulnerability on new item page
https://notcve.org/view.php?id=CVE-2021-21611
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types. Jenkins versiones 2.274 y anteriores, LTS 2.263.1 y anteriores, no escapan los nombres a mostrar y los ID de los tipos de elementos que se muestran en la página New Item, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) al... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2171 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21609 – jenkins: Missing permission check for paths with specific prefix
https://notcve.org/view.php?id=CVE-2021-21609
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no hacen coincidir correctamente unas URL pedidas con la lista de rutas siempre accesibles, permitiendo a atacantes sin permiso general y de lectura acceder a algunas URL como si tuvieran per... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047 • CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21608 – jenkins: Stored XSS vulnerability in button labels
https://notcve.org/view.php?id=CVE-2021-21608
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no escapan las etiquetas de los botones en la Interfaz de Usuario de Jenkins, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) explotable por unos atacantes con la habilidad de controlar unas eti... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21607 – jenkins: Excessive memory allocation in graph URLs leads to denial of service
https://notcve.org/view.php?id=CVE-2021-21607
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no limitan tamaños proporcionados como parámetros de consulta hacia unas URL de representación de gráficos, permitiendo a atacantes pedir URL diseñadas que usan toda la memoria dispo... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2025 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21605 – jenkins: Path traversal vulnerability in agent names
https://notcve.org/view.php?id=CVE-2021-21605
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, permite a usuarios con permiso Agent/Configure elegir nombres de agente que causa que Jenkins anule el archivo global "config.xml". A flaw was found in jenkins. Users with Agent/Configure permissions can choose agent names that cause an override to the global... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2021 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21606 – jenkins: Arbitrary file existence check in file fingerprints
https://notcve.org/view.php?id=CVE-2021-21606
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, comprueban inapropiadamente el formato de una identificación de huella digital proporcionada al comprobar su existencia, permitiendo a un atacante comprobar la existencia de archivos XML con una ruta corta. Red Hat... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2023 • CWE-20: Improper Input Validation •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21604 – jenkins: Improper handling of REST API XML deserialization errors
https://notcve.org/view.php?id=CVE-2021-21604
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, permite a atacantes con permiso para crear o configurar varios objetos para inyectar contenido diseñado en Old Data Monitor que resulta en la instanciación de objetos ... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21603 – jenkins: XSS vulnerability in notification bar
https://notcve.org/view.php?id=CVE-2021-21603
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no escapan el contenido de respuesta de la barra de notificaciones, resultando en una vulnerabilidad de tipo cross-site scripting (XSS). A flaw was found in jenkins. A cross-site scripting (XSS) vulnerability is possible due to the contents of the notification bar responses not... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1889 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21602 – jenkins: Arbitrary file read vulnerability in workspace browsers
https://notcve.org/view.php?id=CVE-2021-21602
13 Jan 2021 — Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks. Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, permite leer archivos arbitrarios usando el explorador de archivos para espacios de trabajo y artefactos archivados al seguir enlaces simbólicos. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-pre... • https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •