Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Jenkins
(Jenkins)Repositories |
• https://github.com/jenkinsci/jenkins
• https://github.com/jenkinsci/winstone |
#Vulnerabilities | 235 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2022-01-12 | CVE-2022-20612 | A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set. | Jenkins, Communications_cloud_native_core_automated_test_suite | 4.3 | ||
2017-01-12 | CVE-2016-9299 | The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | Fedora, Jenkins | 9.8 | ||
2021-04-01 | CVE-2021-28165 | In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | Jetty, Jenkins, Cloud_manager, E\-Series_performance_analyzer, E\-Series_santricity_os_controller, E\-Series_santricity_storage, E\-Series_santricity_web_services, Ontap_tools, Santricity_cloud_connector, Santricity_web_services_proxy, Snapcenter, Storage_replication_adapter_for_clustered_data_ontap, Vasa_provider_for_clustered_data_ontap, Autovue_for_agile_product_lifecycle_management, Communications_cloud_native_core_policy, Communications_element_manager, Communications_services_gatekeeper, Communications_session_report_manager, Communications_session_route_manager, Rest_data_services, Siebel_core_\-_automation | 7.5 | ||
2022-06-23 | CVE-2022-34174 | In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. | Jenkins | 7.5 | ||
2022-06-23 | CVE-2022-34175 | Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view. | Jenkins | 7.5 | ||
2021-01-13 | CVE-2021-21603 | Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability. | Jenkins | 5.4 | ||
2021-01-13 | CVE-2021-21608 | Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels. | Jenkins | 5.4 | ||
2021-01-13 | CVE-2021-21610 | Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup. | Jenkins | 6.1 | ||
2021-01-13 | CVE-2021-21611 | Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types. | Jenkins | 5.4 | ||
2021-11-04 | CVE-2021-21697 | Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. | Jenkins | 9.1 |