|
197891
|
9.1 |
CRITICAL
Network
|
jenkins
|
jenkins
|
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.
|
NVD-CWE-Other
|
CVE-2021-21697
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197892
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control o…
|
NVD-CWE-Other
|
CVE-2021-21696
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197893
|
8.8 |
HIGH
Network
|
jenkins
|
jenkins
|
FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
|
CWE-59
Link Following
|
CVE-2021-21695
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197894
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
|
CWE-862
Missing Authorization
|
CVE-2021-21694
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197895
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
|
CWE-863
Incorrect Authorization
|
CVE-2021-21693
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197896
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.
|
CWE-22
Path Traversal
|
CVE-2021-21692
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197897
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
|
CWE-59
Link Following
|
CVE-2021-21691
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197898
|
9.8 |
CRITICAL
Network
|
jenkins
|
jenkins
|
Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
|
CWE-22
Path Traversal
|
CVE-2021-21690
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197899
|
9.1 |
CRITICAL
Network
|
jenkins
|
jenkins
|
FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
|
NVD-CWE-Other
|
CVE-2021-21689
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197900
|
7.5 |
HIGH
Network
|
jenkins
|
jenkins
|
The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read acc…
|
CWE-862
Missing Authorization
|
CVE-2021-21688
|
2024-11-21 14:48 |
2021-11-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
