Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-04 | CVE-2021-21694 | Missing Authorization vulnerability in Jenkins FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | 9.8 |
| 2021-11-04 | CVE-2021-21695 | Link Following vulnerability in Jenkins FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | 8.8 |
| 2021-11-04 | CVE-2021-21696 | Unspecified vulnerability in Jenkins Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. | 9.8 |
| 2021-11-04 | CVE-2021-21697 | Unspecified vulnerability in Jenkins Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. | 9.1 |
| 2021-11-04 | CVE-2021-21698 | Path Traversal vulnerability in Jenkins Subversion Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent. | 7.5 |
| 2021-10-06 | CVE-2021-21682 | Unspecified vulnerability in Jenkins Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows. | 4.3 |
| 2021-10-06 | CVE-2021-21683 | Path Traversal vulnerability in Jenkins The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files. | 6.5 |
| 2021-10-06 | CVE-2021-21684 | Improper Encoding or Escaping of Output vulnerability in Jenkins GIT Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability. | 6.1 |
| 2021-08-31 | CVE-2021-21677 | Deserialization of Untrusted Data vulnerability in Jenkins Code Coverage API Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability. | 8.8 |
| 2021-08-31 | CVE-2021-21678 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Saml Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | 8.8 |