Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Jenkins
(Jenkins)| Repositories |
• https://github.com/jenkinsci/jenkins
• https://github.com/jenkinsci/winstone |
| #Vulnerabilities | 235 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-11-04 | CVE-2021-21687 | Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar. | Jenkins | 9.1 | ||
| 2021-11-04 | CVE-2021-21688 | The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo). | Jenkins | 7.5 | ||
| 2021-11-04 | CVE-2021-21689 | FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | Jenkins | 9.1 | ||
| 2021-11-04 | CVE-2021-21690 | Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | Jenkins | 9.8 | ||
| 2021-11-04 | CVE-2021-21691 | Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | Jenkins | 9.8 | ||
| 2021-11-04 | CVE-2021-21692 | FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'. | Jenkins | 9.8 | ||
| 2021-11-04 | CVE-2021-21693 | When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | Jenkins | 9.8 | ||
| 2021-11-04 | CVE-2021-21694 | FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | Jenkins | 9.8 | ||
| 2021-11-04 | CVE-2021-21695 | FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | Jenkins | 8.8 | ||
| 2021-11-04 | CVE-2021-21696 | Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process. | Jenkins | 9.8 |