Vulnerabilities > Jenkins
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-13 | CVE-2021-21606 | Improper Input Validation vulnerability in Jenkins Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path. | 4.3 |
| 2021-01-13 | CVE-2021-21605 | Path Traversal vulnerability in Jenkins Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file. | 8.0 |
| 2021-01-13 | CVE-2021-21604 | Deserialization of Untrusted Data vulnerability in Jenkins Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator. | 8.0 |
| 2021-01-13 | CVE-2021-21603 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability. | 5.4 |
| 2021-01-13 | CVE-2021-21602 | Link Following vulnerability in Jenkins Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks. | 6.5 |
| 2020-12-03 | CVE-2020-2324 | XXE vulnerability in Jenkins CVS Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 7.5 |
| 2020-12-03 | CVE-2020-2321 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Shelve Project A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project. | 8.1 |
| 2020-12-03 | CVE-2020-2320 | Download of Code Without Integrity Check vulnerability in Jenkins Installation Manager Tool Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. | 9.8 |
| 2020-11-04 | CVE-2020-2319 | Insufficiently Protected Credentials vulnerability in Jenkins VMWare LAB Manager Slaves Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 6.5 |
| 2020-11-04 | CVE-2020-2318 | Insufficiently Protected Credentials vulnerability in Jenkins Mail Commander 1.0.0 Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | 6.5 |