The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.
This allows attackers with Job/Workspace …
[org.jenkins-ci.main:jenkins-core] Arbitrary file existence check in file fingerprints in Jenkins
Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not…
[org.jenkins-ci.main:jenkins-core] Missing permission check for paths with specific prefix in Jenkins
Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier doe…
[org.jenkins-ci.main:jenkins-core] Improper handling of REST API XML deserialization errors in Jenkins
Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old…
[Microsoft.AspNetCore.App.Runtime.linux-musl-arm] ASP.NET Core and Visual Studio Denial of Service Vulnerability
A denial-of-service vulnerability exists in the way Kestrel parses HTTP/2 requests. The security update addresses the vulnerability by fixing the way the Kestrel parses HTTP/2 requests. Users are advised to upgrade.
References
https://nvd.nist.gov/vul…
[org.jenkins-ci.plugins:cvs] XXE vulnerability in Jenkins CVS Plugin
CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction…
[io.jenkins.plugins:chaos-monkey] Missing permission checks in Jenkins Chaos Monkey Plugin
Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to generate load and to generate memory leaks.
Chaos Monkey Plugin 0.4 requires Overall/Administer perm…
[io.jenkins.plugins:chaos-monkey] Missing permission checks in Jenkins Chaos Monkey Plugin
Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint.
This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.
Chaos Monkey Plugin 0.4.1 requires Overall…
[org.jenkins-ci.plugins:shelve-project-plugin] CSRF vulnerability in Jenkins Shelve Project Plugin
Shelve Project Plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to shelve, unshelve, or delete a project.
Shelve Project Plug…
[gitaly] Gitaly Insufficient Session Expiration vulnerability
When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. Affected versions are: >=1.79.0, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
https://nvd.nis…