Page 7 of 51 results (0.028 seconds)

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins versiones 2.329 y anteriores, LTS versiones 2.319.1 y anteriores, permite a atacantes desencadenar una construcción de un trabajo sin parámetros cuando no se establece un ámbito de seguridad A Cross-site request forgery (CSRF) vulnerability was found in Jenkins. The POST requests are not required for the HTTP endpoint handling manual build requests when no security realm is set. This flaw allows an attacker to trigger the building of a job without parameters. • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2022-20612 https://bugzilla.redhat.com/show_bug.cgi?id=2044460 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. Jenkins versiones 2.318 y anteriores, LTS versiones 2.303.2 y anteriores, permiten a cualquier agente leer y escribir el contenido de cualquier directorio de construcción almacenado en Jenkins con muy pocas restricciones An incorrect access restriction vulnerability was found in Jenkins. The directories agents are allowed to access include the directories where there are stored build-related information intended to allow agents to store build-related metadata during build execution. As a consequence, this allows an attacker who controls agent process to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata). • http://www.openwall.com/lists/oss-security/2021/11/04/3 https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428 https://access.redhat.com/security/cve/CVE-2021-21697 https://bugzilla.redhat.com/show_bug.cgi?id=2020345 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process. Jenkins versiones 2.318 y anteriores, LTS versiones 2.303.2 y anteriores, no limitan el acceso de lectura/escritura del agente al directorio libs/ dentro de los directorios de construcción cuando son utilizadas las APIs FilePath, permitiendo a atacantes que controlan los procesos del agente reemplazar el código de una biblioteca confiable con una variante modificada. Esto resulta en una ejecución de código sin sandbox en el proceso del controlador de Jenkins An incorrect permissions validation vulnerability was found in Jenkins. An agent process read/write access to the libs/ directory inside build directories when using the FilePath APIs is not limited. • http://www.openwall.com/lists/oss-security/2021/11/04/3 https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423 https://access.redhat.com/security/cve/CVE-2021-21696 https://bugzilla.redhat.com/show_bug.cgi?id=2020344 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0

FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. FilePath#listFiles lista los archivos fuera de los directorios a los que agentes pueden acceder cuando siguen enlaces simbólicos en Jenkins versiones 2.318 y anteriores, LTS versiones 2.303.2 y anteriores An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#listFiles lists files outside directories with agent read access when following symbolic links. This may allow an attacker to get access to restricted data. • http://www.openwall.com/lists/oss-security/2021/11/04/3 https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 https://access.redhat.com/security/cve/CVE-2021-21695 https://bugzilla.redhat.com/show_bug.cgi?id=2020343 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, y FilePath#get*DiskSpace no comprueban ningún permiso en Jenkins versiones 2.318 y anteriores, LTS versiones 2.303.2 y anteriores An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions, which may allow an attacker who has access to any of these operations to be able to read and write arbitrary files on the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 https://access.redhat.com/security/cve/CVE-2021-21694 https://bugzilla.redhat.com/show_bug.cgi?id=2020342 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •