Vulnerabilities > Jenkins > Jenkins > 1.299
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-04 | CVE-2021-21696 | Unspecified vulnerability in Jenkins Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. | 9.8 |
| 2021-11-04 | CVE-2021-21697 | Unspecified vulnerability in Jenkins Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. | 9.1 |
| 2021-10-06 | CVE-2021-21682 | Unspecified vulnerability in Jenkins Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows. | 4.3 |
| 2021-10-06 | CVE-2021-21683 | Path Traversal vulnerability in Jenkins The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files. | 6.5 |
| 2021-06-30 | CVE-2021-21670 | Unspecified vulnerability in Jenkins Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. | 4.3 |
| 2021-04-07 | CVE-2021-21640 | Unspecified vulnerability in Jenkins Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names. | 4.3 |
| 2021-04-07 | CVE-2021-21639 | Unspecified vulnerability in Jenkins Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type. | 4.3 |
| 2021-04-01 | CVE-2021-28165 | Improper Handling of Exceptional Conditions vulnerability in multiple products In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | 7.5 |
| 2021-01-26 | CVE-2021-21615 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Jenkins Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition. | 5.3 |
| 2021-01-13 | CVE-2021-21611 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types. | 5.4 |