Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Jenkins
(Jenkins)| Repositories |
• https://github.com/jenkinsci/jenkins
• https://github.com/jenkinsci/winstone |
| #Vulnerabilities | 235 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-10-10 | CVE-2023-36478 | Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295 will... | Debian_linux, Jetty, Jenkins | 7.5 | ||
| 2015-11-25 | CVE-2015-8103 | The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'". | Jenkins, Openshift_container_platform | 9.8 | ||
| 2022-02-09 | CVE-2022-0538 | Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage. | Jenkins | 7.5 | ||
| 2021-10-06 | CVE-2021-21682 | Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows. | Jenkins | 4.3 | ||
| 2021-10-06 | CVE-2021-21683 | The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files. | Jenkins | 6.5 | ||
| 2021-11-04 | CVE-2021-21685 | Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs. | Jenkins | 9.1 | ||
| 2021-11-04 | CVE-2021-21686 | File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. | Jenkins | 8.1 | ||
| 2021-11-04 | CVE-2021-21687 | Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar. | Jenkins | 9.1 | ||
| 2021-11-04 | CVE-2021-21688 | The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo). | Jenkins | 7.5 | ||
| 2021-11-04 | CVE-2021-21689 | FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | Jenkins | 9.1 |