AVG-1446 log

Package jenkins
Status Fixed
Severity High
Type multiple issues
Affected 2.274-1
Fixed 2.275-1
Current 2.317-1 [community]
Ticket None
Created Wed Jan 13 14:47:47 2021
Issue Severity Remote Type Description
CVE-2021-21611 High Yes Cross-site scripting
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page. This results in a stored...
CVE-2021-21610 High Yes Cross-site scripting
Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a...
CVE-2021-21609 Low Yes Insufficient validation
Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from...
CVE-2021-21608 High Yes Cross-site scripting
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI. This results in a cross-site scripting vulnerability...
CVE-2021-21607 Medium Yes Denial of service
Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics. Jenkins...
CVE-2021-21606 Medium Yes Information disclosure
Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier...
CVE-2021-21605 High Yes Directory traversal
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override...
CVE-2021-21604 High Yes Incorrect calculation
Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS...
CVE-2021-21603 High Yes Cross-site scripting
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply...
CVE-2021-21602 Medium Yes Arbitrary filesystem access
A security issue was found in Jenkins before version 2.275. The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows...
Date Advisory Package Type
20 Jan 2021 ASA-202101-41 jenkins multiple issues
References
https://www.jenkins.io/security/advisory/2021-01-13/