jenkins

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Extendable continuous integration server (latest)
Version 2.313-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2118 2.299-1 2.300-1 High Fixed
AVG-1841 2.285-1 2.286-1 High Not affected
AVG-1781 2.286-1 2.287-1 Medium Fixed
AVG-1595 2.279-1 2.280-1 High Fixed
AVG-1491 2.275-1 2.276-1 Medium Fixed
AVG-1446 2.274-1 2.275-1 High Fixed
AVG-1030 2.189-1 2.192-1 Medium Fixed
AVG-1012 2.185-1 2.186-1 High Fixed
AVG-948 2.171-1 2.172-1 Medium Fixed
AVG-778 2.145-1 2.146-1 Medium Fixed
AVG-738 2.132-1 2.133-1 High Fixed
AVG-543 2.93-1 2.94-1 Medium Fixed
AVG-255 2.56-1 2.57-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2021-28165 AVG-1841 High Yes Denial of service
When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is...
CVE-2021-22112 AVG-1595 High Yes Privilege escalation
A security issue was found in Jenkins 2.275 through 2.278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their...
CVE-2021-21671 AVG-2118 High Yes Authentication bypass
Jenkins 2.299 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain...
CVE-2021-21670 AVG-2118 Medium Yes Access restriction bypass
Jenkins 2.299 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have...
CVE-2021-21640 AVG-1781 Medium Yes Insufficient validation
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with...
CVE-2021-21639 AVG-1781 Medium Yes Insufficient validation
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API...
CVE-2021-21615 AVG-1491 Medium Yes Directory traversal
Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows...
CVE-2021-21611 AVG-1446 High Yes Cross-site scripting
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page. This results in a stored...
CVE-2021-21610 AVG-1446 High Yes Cross-site scripting
Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a...
CVE-2021-21609 AVG-1446 Low Yes Insufficient validation
Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from...
CVE-2021-21608 AVG-1446 High Yes Cross-site scripting
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI. This results in a cross-site scripting vulnerability...
CVE-2021-21607 AVG-1446 Medium Yes Denial of service
Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics. Jenkins...
CVE-2021-21606 AVG-1446 Medium Yes Information disclosure
Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier...
CVE-2021-21605 AVG-1446 High Yes Directory traversal
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override...
CVE-2021-21604 AVG-1446 High Yes Incorrect calculation
Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS...
CVE-2021-21603 AVG-1446 High Yes Cross-site scripting
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply...
CVE-2021-21602 AVG-1446 Medium Yes Arbitrary filesystem access
A security issue was found in Jenkins before version 2.275. The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows...
CVE-2019-1003050 AVG-948 Medium Yes Cross-site scripting
The f:validateButton form control for the Jenkins UI did not properly escape job URLs. This resulted in a cross-site scripting (XSS) vulnerability...
CVE-2019-1003049 AVG-948 Medium Yes Access restriction bypass
A security issue has been found in Jenkins before 2.172, where the fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based...
CVE-2019-10384 AVG-1030 Medium Yes Cross-site request forgery
Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the...
CVE-2019-10383 AVG-1030 Low Yes Cross-site scripting
Jenkins did not properly escape the update site URL in some status messages shown in the update center, resulting in a stored cross-site scripting...
CVE-2019-10354 AVG-1012 High Yes Access restriction bypass
A security issue has been found in Jenkins before 2.186. Jenkins uses the Stapler web framework to render its UI views. These views are frequently comprised...
CVE-2019-10353 AVG-1012 High Yes Cross-site request forgery
By default, CSRF tokens in Jenkins before 2.186 only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for...
CVE-2019-10352 AVG-1012 High Yes Arbitrary file overwrite
A vulnerability has been found in Jenkins before 2.186, where users with Job/Configure permission could specify a relative path escaping the base directory...
CVE-2018-1999043 AVG-778 Medium Yes Access restriction bypass
A security issue has been found in Jenkins version prior to 2.146. When attempting to authenticate using API token, an ephemeral user record was created to...
CVE-2018-1999007 AVG-738 Medium Yes Cross-site scripting
Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information....
CVE-2018-1999006 AVG-738 Medium Yes Information disclosure
Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory were accessible via HTTP by users...
CVE-2018-1999005 AVG-738 Medium Yes Cross-site scripting
The build timeline widget shown on URLs like /view/…/builds in Jenkins before 2.133 did not properly escape display names of items. This resulted in a...
CVE-2018-1999004 AVG-738 Medium Yes Access restriction bypass
The URL that initiates agent launches on the Jenkins master before 2.133 did not perform a permission check, allowing users with Overall/Read permission to...
CVE-2018-1999003 AVG-738 Medium Yes Access restriction bypass
The URLs handling cancellation of queued builds in Jenkins before 2.133 did not perform a permission check, allowing users with Overall/Read permission to...
CVE-2018-1999002 AVG-738 High Yes Arbitrary filesystem access
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins before 2.133 allowed unauthenticated users to send crafted HTTP requests...
CVE-2018-1999001 AVG-738 High Yes Access restriction bypass
Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins before 2.133 to move the config.xml file from the Jenkins home...
CVE-2017-1000356 AVG-255 High Yes Cross-site request forgery
Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into...
CVE-2017-1000355 AVG-255 Medium Yes Arbitrary code execution
Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to...
CVE-2017-1000354 AVG-255 High Yes Privilege escalation
The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to...
CVE-2017-17383 AVG-543 Medium Yes Cross-site scripting
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated...

Advisories

Date Advisory Group Severity Type
01 Jul 2021 ASA-202107-5 AVG-2118 High multiple issues
20 Jan 2021 ASA-202101-41 AVG-1446 High multiple issues
30 Aug 2019 ASA-201908-22 AVG-1030 Medium multiple issues
11 Apr 2019 ASA-201904-7 AVG-948 Medium multiple issues
21 Jul 2018 ASA-201807-14 AVG-738 High multiple issues
27 Apr 2017 ASA-201704-8 AVG-255 High multiple issues