FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
d6f76976-e86d-4f9a-9362-76c849b10db2jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(Medium) SECURITY-1452 / CVE-2021-21602

Arbitrary file read vulnerability in workspace browsers

(High) SECURITY-1889 / CVE-2021-21603

XSS vulnerability in notification bar

(High) SECURITY-1923 / CVE-2021-21604

Improper handling of REST API XML deserialization errors

(High) SECURITY-2021 / CVE-2021-21605

Path traversal vulnerability in agent names

(Medium) SECURITY-2023 / CVE-2021-21606

Arbitrary file existence check in file fingerprints

(Medium) SECURITY-2025 / CVE-2021-21607

Excessive memory allocation in graph URLs leads to denial of service

(High) SECURITY-2035 / CVE-2021-21608

Stored XSS vulnerability in button labels

(Low) SECURITY-2047 / CVE-2021-21609

Missing permission check for paths with specific prefix

(High) SECURITY-2153 / CVE-2021-21610

Reflected XSS vulnerability in markup formatter preview

(High) SECURITY-2171 / CVE-2021-21611

Stored XSS vulnerability on new item page


Discovery 2021-01-13
Entry 2021-01-13
jenkins
lt 2.275

jenkins-lts
lt 2.263.2

https://www.jenkins.io/security/advisory/2021-01-13/
7e01df39-db7e-11e5-b937-00e0814cab4ejenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)

A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.

SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability)

An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.

SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)

The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.

SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)

The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods.

SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)

Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.


Discovery 2016-02-24
Entry 2016-02-25
jenkins
le 1.650

jenkins-lts
le 1.642.2

https://wiki.jenkins-ci.org/display/SECURITY/Security+Advisory+2016-02-24
06ab7724-0fd7-427e-a5ce-fe436302b10cjenkins -- multiple vulnerabilities

Jenkins developers report:

The agent to master security subsystem ensures that the Jenkins master is protected from maliciously configured agents. A path traversal vulnerability allowed agents to escape whitelisted directories to read and write to files they should not be able to access.

Black Duck Hub Plugin's API endpoint was affected by an XML External Entity (XXE) processing vulnerability. This allowed an attacker with Overall/Read access to have Jenkins parse a maliciously crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.

Several other lower severity issues were reported, see reference url for details.


Discovery 2018-05-09
Entry 2018-05-10
jenkins
le 2.120

jenkins-lts
le 2.107.2

https://jenkins.io/security/advisory/2018-05-09/
6905f05f-a0c9-11e8-8335-8c164535ad80jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(Low) SECURITY-637

Jenkins allowed deserialization of URL objects with host components

(Medium) SECURITY-672

Ephemeral user record was created on some invalid authentication attempts

(Medium) SECURITY-790

Cron expression form validation could enter infinite loop, potentially resulting in denial of service

(Low) SECURITY-996

"Remember me" cookie was evaluated even if that feature is disabled

(Medium) SECURITY-1071

Unauthorized users could access agent logs

(Low) SECURITY-1076

Unauthorized users could cancel scheduled restarts initiated from the update center


Discovery 2018-08-15
Entry 2018-08-15
jenkins
lt 2.138

jenkins-lts
lt 2.121.3

https://jenkins.io/security/advisory/2018-08-15/
3aa27226-f86f-11e8-a085-3497f683cb16jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(Critical) SECURITY-595

Code execution through crafted URLs

(Medium) SECURITY-904

Forced migration of user records

(Medium) SECURITY-1072

Workspace browser allowed accessing files outside the workspace

(Medium) SECURITY-1193

Potential denial of service through cron expression form validation


Discovery 2018-12-05
Entry 2018-12-05
jenkins
lt 2.154

jenkins-lts
lt 2.138.3

https://jenkins.io/security/advisory/2018-12-05/
425f2143-8876-4b0a-af84-e0238c5c2062jenkins -- Arbitrary file read vulnerability in workspace browsers

Jenkins Security Advisory:

Description

(Medium) SECURITY-2197 / CVE-2021-21615

Arbitrary file read vulnerability in workspace browsers


Discovery 2021-01-26
Entry 2021-01-26
jenkins
lt 2.276

jenkins-lts
lt 2.263.3

https://www.jenkins.io/security/advisory/2021-01-26/
1c2a9d76-9d98-43c3-8f5d-8c059b104d99jenkins -- multiple issues

Jenkins developers report:

Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of problems.

Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.


Discovery 2017-11-08
Entry 2017-11-09
jenkins
lt 2.89

jenkins-lts
lt 2.73.3

https://jenkins.io/security/advisory/2017-11-08/
631c4710-9be5-4a80-9310-eb2847fe24ddjenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

SECURITY-412 through SECURITY-420 / CVE-2017-1000356

CSRF: Multiple vulnerabilities

SECURITY-429 / CVE-2017-1000353

CLI: Unauthenticated remote code execution

SECURITY-466 / CVE-2017-1000354

CLI: Login command allowed impersonating any Jenkins user

SECURITY-503 / CVE-2017-1000355

XStream: Java crash when trying to instantiate void/Void


Discovery 2017-04-26
Entry 2017-04-27
jenkins
lt 2.57

jenkins-lts
lt 2.46.2

CVE-2017-1000356
CVE-2017-1000353
CVE-2017-1000354
CVE-2017-1000355
https://jenkins.io/security/advisory/2017-04-26/
20a1881e-8a9e-11e8-bddf-d017c2ca229djenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(High) SECURITY-897 / CVE-2018-1999001

Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart

(High) SECURITY-914 / CVE-2018-1999002

Arbitrary file read vulnerability

(Medium) SECURITY-891 / CVE-2018-1999003

Unauthorized users could cancel queued builds

(Medium) SECURITY-892 / CVE-2018-1999004

Unauthorized users could initiate and abort agent launches

(Medium) SECURITY-944 / CVE-2018-1999005

Stored XSS vulnerability

(Medium) SECURITY-925 / CVE-2018-1999006

Unauthorized users are able to determine when a plugin was extracted from its JPI package

(Medium) SECURITY-390 / CVE-2018-1999007

XSS vulnerability in Stapler debug mode


Discovery 2018-07-18
Entry 2018-07-18
jenkins
lt 2.133

jenkins-lts
lt 2.121.2

CVE-2018-1999001
CVE-2018-1999002
CVE-2018-1999003
CVE-2018-1999004
CVE-2018-1999005
CVE-2018-1999006
CVE-2018-1999007
https://jenkins.io/security/advisory/2018-07-18/
9720bb39-f82a-402f-9fe4-e2c875bdda83jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(Medium) SECURITY-1498 / CVE-2019-10401

Stored XSS vulnerability in expandable textbox form control

(Medium) SECURITY-1525 / CVE-2019-10402

XSS vulnerability in combobox form control

(Medium) SECURITY-1537 (1) / CVE-2019-10403

Stored XSS vulnerability in SCM tag action tooltip

(Medium) SECURITY-1537 (2) / CVE-2019-10404

Stored XSS vulnerability in queue item tooltip

(Medium) SECURITY-1505 / CVE-2019-10405

Diagnostic web page exposed Cookie HTTP header

(Medium) SECURITY-1471 / CVE-2019-10406

XSS vulnerability in Jenkins URL setting


Discovery 2019-09-25
Entry 2019-09-25
jenkins
le 2.196

jenkins-lts
le 2.176.3

CVE-2019-10401
CVE-2019-10402
CVE-2019-10403
CVE-2019-10404
CVE-2019-10405
CVE-2019-10406
https://jenkins.io/security/advisory/2019-09-25/
b665668a-91db-4f13-8113-9e4b5b0e47f7jenkins -- remote code execution via unsafe deserialization

Jenkins Developers report:

Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master.


Discovery 2015-11-06
Entry 2015-11-11
jenkins
lt 1.638

jenkins-lts
lt 1.625.2

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thefix
27eee66d-9474-44a5-b830-21ec12a1c307jenkins -- Remote code execution vulnerability in remoting module

Jenkins Security Advisory:

An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.


Discovery 2016-11-11
Entry 2016-11-16
jenkins
le 2.31

jenkins-lts
le 2.19.2

CVE-2016-9299
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16
a250539d-d1d4-4591-afd3-c8bdfac335d8jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(High) SECURITY-1682 / CVE-2020-2099

Inbound TCP Agent Protocol/3 authentication bypass

(Medium) SECURITY-1641 / CVE-2020-2100

Jenkins vulnerable to UDP amplification reflection attack

(Medium) SECURITY-1659 / CVE-2020-2101

Non-constant time comparison of inbound TCP agent connection secret

(Medium) SECURITY-1660 / CVE-2020-2102

Non-constant time HMAC comparison

(Medium) SECURITY-1695 / CVE-2020-2103

Diagnostic page exposed session cookies

(Medium) SECURITY-1650 / CVE-2020-2104

Memory usage graphs accessible to anyone with Overall/Read

(Low) SECURITY-1704 / CVE-2020-2105

Jenkins REST APIs vulnerable to clickjacking

(Medium) SECURITY-1680 / CVE-2020-2106

Stored XSS vulnerability in Code Coverage API Plugin

(Medium) SECURITY-1565 / CVE-2020-2107

Fortify Plugin stored credentials in plain text

(High) SECURITY-1719 / CVE-2020-2108

XXE vulnerability in WebSphere Deployer Plugin


Discovery 2020-01-29
Entry 2020-01-29
jenkins
le 2.219

jenkins-lts
le 2.204.2

CVE-2020-2099
CVE-2020-2100
CVE-2020-2101
CVE-2020-2102
CVE-2020-2103
CVE-2020-2104
CVE-2020-2105
CVE-2020-2106
CVE-2020-2107
CVE-2020-2108
https://jenkins.io/security/advisory/2020-01-29/
3350275d-cd5a-11e8-a7be-3497f683cb16jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(Low) SECURITY-867

Path traversal vulnerability in Stapler allowed accessing internal data

(Medium) SECURITY-1074

Arbitrary file write vulnerability using file parameter definitions

(Medium) SECURITY-1129

Reflected XSS vulnerability

(Medium) SECURITY-1162

Ephemeral user record was created on some invalid authentication attempts

(Medium) SECURITY-1128

Ephemeral user record creation

(Medium) SECURITY-1158

Session fixation vulnerability on user signup

(Medium) SECURITY-765

Failures to process form submission data could result in secrets being displayed or written to logs


Discovery 2018-10-10
Entry 2018-10-11
jenkins
lt 2.146

jenkins-lts
lt 2.138.2

https://jenkins.io/security/advisory/2018-10-10/
eef0d2d9-78c0-441e-8b03-454c5baebe20jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(High) SECURITY-1955 / CVE-2020-2229

Stored XSS vulnerability in help icons

(High) SECURITY-1957 / CVE-2020-2230

Stored XSS vulnerability in project naming strategy

(High) SECURITY-1960 / CVE-2020-2231

Stored XSS vulnerability in 'Trigger builds remotely'


Discovery 2020-08-12
Entry 2020-08-12
jenkins
lt 2.252

jenkins-lts
lt 2.235.4

CVE-2020-2229
CVE-2020-2230
CVE-2020-2231
https://www.jenkins.io/security/advisory/2020-08-12/
e387834a-17ef-11e6-9947-7054d2909b71jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

SECURITY-170 / CVE-2016-3721

Arbitrary build parameters are passed to build scripts as environment variables

SECURITY-243 / CVE-2016-3722

Malicious users with multiple user accounts can prevent other users from logging in

SECURITY-250 / CVE-2016-3723

Information on installed plugins exposed via API

SECURITY-266 / CVE-2016-3724

Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration

SECURITY-273 / CVE-2016-3725

Regular users can trigger download of update site metadata

SECURITY-276 / CVE-2016-3726

Open redirect to scheme-relative URLs

SECURITY-281 / CVE-2016-3727

Granting the permission to read node configurations allows access to overall system configuration


Discovery 2016-05-11
Entry 2016-05-12
jenkins
le 2.2

jenkins2
le 2.2

jenkins-lts
le 1.651.1

CVE-2016-3721
CVE-2016-3722
CVE-2016-3723
CVE-2016-3724
CVE-2016-3725
CVE-2016-3726
CVE-2016-3727
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
aaba17aa-782e-4843-8a79-7756cfa2bf89jenkins -- multiple vulnerabilities

Jenkins developers report:

The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist.

The Jenkins CLI now returns the same error messages to unauthorized users independent of the existence of specified view or agent names

Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items.

JavaScript confirmation dialogs that include the item name now properly escape it, so it can be safely displayed.


Discovery 2018-04-11
Entry 2018-04-12
jenkins
le 2.115

jenkins-lts
le 2.107.1

https://jenkins.io/security/advisory/2018-04-11/
6dc3c61c-e866-4c27-93f7-ae50908594fdjenkins -- multiple issues

jenkins developers report:

A total of 11 issues are reported, please see reference URL for details.


Discovery 2017-10-11
Entry 2017-10-13
jenkins
le 2.83

jenkins-lts
le 2.73.1

https://jenkins.io/security/advisory/2017-10-11/
9595d002-edeb-4602-be2d-791cd654247ejenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(Low) SECURITY-1721 / CVE-2021-21639

Lack of type validation in agent related REST API

(Medium) SECURITY-1871 / CVE-2021-21640

View name validation bypass


Discovery 2021-04-07
Entry 2021-04-08
jenkins
lt 2.287

jenkins-lts
lt 2.277.2

https://www.jenkins.io/security/advisory/2021-04-07/
09ea1b08-1d3e-4bf2-91a1-d6573f4da3d8jenkins -- Buffer corruption in bundled Jetty

Jenkins Security Advisory:

Description

(Critical) SECURITY-1983 / CVE-2019-17638

Buffer corruption in bundled Jetty


Discovery 2020-08-17
Entry 2020-08-17
jenkins
lt 2.243

jenkins-lts
lt 2.235.5

CVE-2019-17638
https://www.jenkins.io/security/advisory/2020-08-17/
debf6353-5753-4e9a-b710-a83ecdd743dejenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(High) SECURITY-868

Administrators could persist access to Jenkins using crafted 'Remember me' cookie

(Medium) SECURITY-901

Deleting a user in an external security realm did not invalidate their session or 'Remember me' cookie


Discovery 2019-01-16
Entry 2019-01-16
jenkins
lt 2.160

jenkins-lts
lt 2.150.2

https://jenkins.io/security/advisory/2019-01-16/
5cfa9d0c-73d7-4642-af4f-28fbed9e9404jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Please reference CVE/URL list for details


Discovery 2017-02-01
Entry 2017-02-01
jenkins
lt 2.44

jenkins-lts
lt 2.32.2

CVE-2017-2598
CVE-2017-2599
CVE-2017-2600
CVE-2011-4969
CVE-2017-2601
CVE-2015-0886
CVE-2017-2602
CVE-2017-2603
CVE-2017-2604
CVE-2017-2605
CVE-2017-2606
CVE-2017-2607
CVE-2017-2608
CVE-2017-2609
CVE-2017-2610
CVE-2017-2611
CVE-2017-2612
CVE-2017-2613
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01
e358b470-b37d-4e47-bc8a-2cd9adbeb63cjenkins -- Denial of service vulnerability in bundled Jetty

Jenkins Security Advisory:

Description

(High) JENKINS-65280 / CVE-2021-28165

Denial of service vulnerability in bundled Jetty


Discovery 2021-04-20
Entry 2021-04-20
jenkins
lt 2.286

jenkins-lts
lt 2.277.3

https://www.jenkins.io/security/advisory/2021-04-20/
CVE-2021-28165
7136e6b7-e1b3-11e7-a4d3-000c292ee6b8jenkins -- Two startup race conditions

The Jenkins project reports:

A race condition during Jenkins startup could result in the wrong order of execution of commands during initialization.

On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases (we estimate less than 20% of new instances) result in failure to initialize the setup wizard on the first startup.

There is a very short window of time after startup during which Jenkins may no longer show the "Please wait while Jenkins is getting ready to work" message, but Cross-Site Request Forgery (CSRF) protection may not yet be effective.


Discovery 2017-12-14
Entry 2017-12-15
jenkins
lt 2.95

jenkins-lts
lt 2.89.2

https://jenkins.io/security/advisory/2017-12-14/
23af0425-9eac-11e5-b937-00e0814cab4ejenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

SECURITY-95 / CVE-2015-7536 (Stored XSS vulnerability through workspace files and archived artifacts)

In certain configurations, low privilege users were able to create e.g. HTML files in workspaces and archived artifacts that could result in XSS when accessed by other users. Jenkins now sends Content-Security-Policy headers that enables sandboxing and prohibits script execution by default.

SECURITY-225 / CVE-2015-7537 (CSRF vulnerability in some administrative actions)

Several administration/configuration related URLs could be accessed using GET, which allowed attackers to circumvent CSRF protection.

SECURITY-233 / CVE-2015-7538 (CSRF protection ineffective)

Malicious users were able to circumvent CSRF protection on any URL by sending specially crafted POST requests.

SECURITY-234 / CVE-2015-7539 (Jenkins plugin manager vulnerable to MITM attacks)

While the Jenkins update site data is digitally signed, and the signature verified by Jenkins, Jenkins did not verify the provided SHA-1 checksums for the plugin files referenced in the update site data. This enabled MITM attacks on the plugin manager, resulting in installation of attacker-provided plugins.


Discovery 2015-12-09
Entry 2015-12-09
jenkins
le 1.641

jenkins-lts
le 1.625.3

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09
8e9c3f5a-715b-4336-8d05-19babef55e9ejenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(Medium) SECURITY-1289

Jenkins accepted cached legacy CLI authentication

(Medium) SECURITY-1327

XSS vulnerability in form validation button


Discovery 2019-04-10
Entry 2019-04-10
jenkins
lt 2.172

jenkins-lts
lt 2.164.2

https://jenkins.io/security/advisory/2019-04-10/
7a7891fc-6318-447a-ba45-31d525ec11a0jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(Medium) SECURITY-1453 / CVE-2019-10383

Stored XSS vulnerability in update center

(High) SECURITY-1491 / CVE-2019-10384

CSRF protection tokens for anonymous users did not expire in some circumstances


Discovery 2019-08-28
Entry 2019-08-28
jenkins
le 2.191

jenkins-lts
le 2.176.2

CVE-2019-10383
CVE-2019-10384
https://jenkins.io/security/advisory/2019-08-28/
df3db21d-1a4d-4c78-acf7-4639e5a795e0jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(Medium) SECURITY-1424 / CVE-2019-10352

Arbitrary file write vulnerability using file parameter definitions

(High) SECURITY-626 / CVE-2019-10353

CSRF protection tokens did not expire

(Medium) SECURITY-534 / CVE-2019-10354

Unauthorized view fragment access


Discovery 2019-07-17
Entry 2019-07-17
jenkins
lt 2.186

jenkins-lts
lt 2.176.2

CVE-2019-10352
CVE-2019-10353
CVE-2019-10354
https://jenkins.io/security/advisory/2019-07-17/
1ddab5cb-14c9-4632-959f-802c412a9593jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(High) SECURITY-1868 / CVE-2020-2220

Stored XSS vulnerability in job build time trend

(High) SECURITY-1901 / CVE-2020-2221

Stored XSS vulnerability in upstream cause

(High) SECURITY-1902 / CVE-2020-2222

Stored XSS vulnerability in 'keep forever' badge icons

(High) SECURITY-1945 / CVE-2020-2223

Stored XSS vulnerability in console links


Discovery 2020-07-15
Entry 2020-07-15
jenkins
lt 2.245

jenkins-lts
lt 2.235.2

CVE-2020-2220
CVE-2020-2221
CVE-2020-2222
CVE-2020-2223
https://www.jenkins.io/security/advisory/2020-07-15/
5bf6ed6d-9002-4f43-ad63-458f59e45384jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(High) SECURITY-1774 / CVE-2020-2160

CSRF protection for any URL could be bypassed

(Medium) SECURITY-1781 / CVE-2020-2161

Stored XSS vulnerability in label expression validation

(Medium) SECURITY-1793 / CVE-2020-2162

Stored XSS vulnerability in file parameters

(Medium) SECURITY-1796 / CVE-2020-2163

Stored XSS vulnerability in list view column headers


Discovery 2020-03-25
Entry 2020-03-25
jenkins
le 2.227

jenkins-lts
le 2.204.5

CVE-2020-2160
CVE-2020-2161
CVE-2020-2162
CVE-2020-2163
https://jenkins.io/security/advisory/2020-03-25/
9d271bab-da22-11eb-86f0-94c691a700a6jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

(Medium) SECURITY-2278 / CVE-2021-21670

Improper permission checks allow canceling queue items and aborting builds

(High) SECURITY-2371 / CVE-2021-21671

Session fixation vulnerability


Discovery 2021-06-30
Entry 2021-07-01
jenkins
lt 2.300

jenkins-lts
lt 2.289.2

CVE-2021-21670
CVE-2021-21671
https://www.jenkins.io/security/advisory/2021-06-30/
5d374fbb-bae3-45db-afc0-795684ac7353jenkins -- Path traversal vulnerability allows access to files outside plugin resources

Jenkins developers report:

Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to.


Discovery 2018-02-14
Entry 2018-02-14
jenkins
le 2.106

jenkins-lts
le 2.89.3

https://jenkins.io/security/advisory/2018-02-14/
https://jenkins.io/blog/2018/02/14/security-updates/
CVE-2018-6356