|
197001
|
5.4 |
MEDIUM
Network
|
jenkins
|
scriptler
|
Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitabl…
|
CWE-79
Cross-site Scripting
|
CVE-2021-21700
|
2024-11-21 14:48 |
2021-11-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197002
|
5.4 |
MEDIUM
Network
|
jenkins
|
active_choices
|
Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerabil…
|
CWE-79
Cross-site Scripting
|
CVE-2021-21699
|
2024-11-21 14:48 |
2021-11-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197003
|
7.5 |
HIGH
Network
|
jenkins
|
subversion
|
Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.
|
CWE-22
Path Traversal
|
CVE-2021-21698
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197004
|
9.1 |
CRITICAL
Network
|
jenkins
|
jenkins
|
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.
|
NVD-CWE-Other
|
CVE-2021-21697
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197005
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control o…
|
NVD-CWE-Other
|
CVE-2021-21696
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197006
|
8.8 |
HIGH
Network
|
jenkins
|
jenkins
|
FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
|
CWE-59
Link Following
|
CVE-2021-21695
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197007
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
|
CWE-862
Missing Authorization
|
CVE-2021-21694
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197008
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
|
CWE-863
Incorrect Authorization
|
CVE-2021-21693
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197009
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.
|
CWE-22
Path Traversal
|
CVE-2021-21692
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197010
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
|
CWE-59
Link Following
|
CVE-2021-21691
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
