Vulnerabilities > Jenkins > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-04 | CVE-2021-21686 | Link Following vulnerability in Jenkins File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. | 8.1 |
| 2021-11-04 | CVE-2021-21688 | Missing Authorization vulnerability in Jenkins The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo). | 7.5 |
| 2021-11-04 | CVE-2021-21695 | Link Following vulnerability in Jenkins FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | 8.8 |
| 2021-11-04 | CVE-2021-21698 | Path Traversal vulnerability in Jenkins Subversion Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent. | 7.5 |
| 2021-08-31 | CVE-2021-21677 | Deserialization of Untrusted Data vulnerability in Jenkins Code Coverage API Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability. | 8.8 |
| 2021-08-31 | CVE-2021-21678 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Saml Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | 8.8 |
| 2021-08-31 | CVE-2021-21679 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Azure AD Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | 8.8 |
| 2021-08-31 | CVE-2021-21680 | XXE vulnerability in Jenkins Nested View Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks. | 7.1 |
| 2021-06-30 | CVE-2021-21671 | Unspecified vulnerability in Jenkins Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. | 7.5 |
| 2021-06-10 | CVE-2021-21665 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Xebialabs XL Deploy A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins. | 8.8 |