DATABASE RESOURCES PRICING ABOUT US

{"id": "ALPINE:CVE-2021-21613", "vendorId": null, "type": "alpinelinux", "bulletinFamily": "unix", "title": "CVE-2021-21613", "description": "Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.", "published": "2021-01-13T16:15:00", "modified": "2021-01-19T17:19:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://security.alpinelinux.org/vuln/CVE-2021-21613", "reporter": "Alpine Linux Development Team", "references": [], "cvelist": ["CVE-2021-21613"], "immutableFields": [], "lastseen": "2022-06-29T03:58:10", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-21613"]}, {"type": "nessus", "idList": ["CLOUDBEES_SECURITY_ADVISORY_2021-01-13.NASL"]}], "rev": 4}, "score": {"value": 4.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-21613"]}, {"type": "nessus", "idList": ["CLOUDBEES_SECURITY_ADVISORY_2021-01-13.NASL"]}]}, "exploitation": null, "vulnersScore": 4.3}, "_state": {"dependencies": 0}, "_internal": {}, "affectedPackage": [{"OS": "Alpine", "OSVersion": "3.13-community", "packageFilename": "UNKNOWN", "arch": "noarch", "packageVersion": "2.287-r0", "operator": "eq", "packageName": "jenkins"}, {"OS": "Alpine", "OSVersion": "3.14-community", "packageFilename": "UNKNOWN", "arch": "noarch", "packageVersion": "2.297-r0", "operator": "eq", "packageName": "jenkins"}, {"OS": "Alpine", "OSVersion": "3.15-community", "packageFilename": "UNKNOWN", "arch": "noarch", "packageVersion": "2.319.3-r0", "operator": "eq", "packageName": "jenkins"}, {"OS": "Alpine", "OSVersion": "edge-community", "packageFilename": "UNKNOWN", "arch": "noarch", "packageVersion": "2.332.3-r0", "operator": "eq", "packageName": "jenkins"}, {"OS": "Alpine", "OSVersion": "3.16-community", "packageFilename": "UNKNOWN", "arch": "noarch", "packageVersion": "2.332.3-r0", "operator": "eq", "packageName": "jenkins"}]}

{"cve": [{"lastseen": "2022-03-23T13:46:00", "description": "Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-01-13T16:15:00", "type": "cve", "title": "CVE-2021-21613", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21613"], "modified": "2021-01-19T17:19:00", "cpe": ["cpe:/a:jenkins:tics:2020.3.0.6"], "id": "CVE-2021-21613", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21613", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:jenkins:tics:2020.3.0.6:*:*:*:*:jenkins:*:*"]}], "nessus": [{"lastseen": "2022-04-11T21:37:54", "description": "The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.222.x prior to 2.222.43.0.1, 2.249.x prior to 2.249.30.0.1, or 2.x prior to 2.263.2.2. It is, therefore, affected by multiple vulnerabilities, including the following:\n\n - Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator. (CVE-2021-21604)\n\n - Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file. (CVE-2021-21605)\n\n - Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission. (CVE-2021-21609)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-11-29T00:00:00", "type": "nessus", "title": "Jenkins Enterprise and Operations Center < 2.222.43.0.1 / 2.249.30.0.1 / 2.263.2.2 Multiple Vulnerabilities (CloudBees Security Advisory 2021-01-13)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21602", "CVE-2021-21603", "CVE-2021-21604", "CVE-2021-21605", "CVE-2021-21606", "CVE-2021-21607", "CVE-2021-21608", "CVE-2021-21609", "CVE-2021-21610", "CVE-2021-21611", "CVE-2021-21612", "CVE-2021-21613", "CVE-2021-21614"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cloudbees:jenkins"], "id": "CLOUDBEES_SECURITY_ADVISORY_2021-01-13.NASL", "href": "https://www.tenable.com/plugins/nessus/155715", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155715);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2021-21602\",\n \"CVE-2021-21603\",\n \"CVE-2021-21604\",\n \"CVE-2021-21605\",\n \"CVE-2021-21606\",\n \"CVE-2021-21607\",\n \"CVE-2021-21608\",\n \"CVE-2021-21609\",\n \"CVE-2021-21610\",\n \"CVE-2021-21611\",\n \"CVE-2021-21612\",\n \"CVE-2021-21613\",\n \"CVE-2021-21614\"\n );\n\n script_name(english:\"Jenkins Enterprise and Operations Center < 2.222.43.0.1 / 2.249.30.0.1 / 2.263.2.2 Multiple Vulnerabilities (CloudBees Security Advisory 2021-01-13)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A job scheduling and management system hosted on the remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.222.x prior to\n2.222.43.0.1, 2.249.x prior to 2.249.30.0.1, or 2.x prior to 2.263.2.2. It is, therefore, affected by multiple\nvulnerabilities, including the following:\n\n - Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure\n various objects to inject crafted content into Old Data Monitor that results in the instantiation of\n potentially unsafe objects once discarded by an administrator. (CVE-2021-21604)\n\n - Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose\n agent names that cause Jenkins to override the global `config.xml` file. (CVE-2021-21605)\n\n - Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of\n always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they\n did have Overall/Read permission. (CVE-2021-21609)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cloudbees.com/cloudbees-security-advisory-2021-01-13\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Jenkins Enterprise or Jenkins Operations Center to version 2.222.43.0.1, 2.249.30.0.1, 2.263.2.2 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21605\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\", \"jenkins_win_installed.nbin\", \"jenkins_nix_installed.nbin\", \"macosx_jenkins_installed.nbin\");\n script_require_keys(\"installed_sw/Jenkins\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'Jenkins');\n\nvar constraints = [\n { 'min_version' : '2.222', 'fixed_version' : '2.222.43.0.1', 'edition' : make_list('Enterprise', 'Operations Center') },\n { 'min_version' : '2.249', 'fixed_version' : '2.249.30.0.1', 'edition' : make_list('Enterprise', 'Operations Center') },\n { 'min_version' : '2', 'fixed_version' : '2.263.2.2', 'edition' : make_list('Enterprise', 'Operations Center'), 'rolling_train' : TRUE },\n];\n\nvcf::jenkins::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 6, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}]}