CVE-2021-21653

CVE-2021-21653 : Jenkins Xray - Test Management for Jira Plugin version 2.4.0 and earlier has an HTTP endpoint that does not perform a permission check. With Overall/Read privileges, an attacker can enumerate credential IDs stored in Jenkins, exposing secrets management metadata. The vulnerabilit...

CVE-2021-21647

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission...

CVE-2021-21647

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission...

CVE-2021-21647

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission...

PT-2021-14690 · Cloudbees +1 · Jenkins Cloudbees Cd Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins CloudBees CD Plugin versions 1.1.21 and earlier Description: The issue concerns a lack of permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build...

Insufficient Verification of Data Authenticity in Eclipse Theia

In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the hosts filesystem, given...

CVE-2021-21631

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages...

CVE-2021-21631

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages...

Code injection

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages...

PT-2021-14674 · Jenkins · Jenkins Cloud Statistics Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Cloud Statistics Plugin versions 0.26 and earlier Description: The issue concerns a lack of permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related...

PT-2021-14660 · Jenkins · Jenkins Configuration Slicing Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Configuration Slicing Plugin versions 1.51 and earlier Description: A cross-site request forgery CSRF vulnerability allows attackers to apply different slice configurations to attacker-specified jobs. This issue arises because the for...

PT-2021-10096 · Apache · Apache Flink

Name of the Vulnerable Software and Affected Versions: Apache Flink versions 1.5.1 Description: A REST handler in Apache Flink allows writing an uploaded file to any location on the local file system through a maliciously modified HTTP HEADER. This issue enables files to be written to any locatio...

CVE-2020-25617

An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows Relative Path Traversal by an authenticated user of the N-Central Administration Console NAC, leading to execution of OS commands as root...

CVE-2020-2323

Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions...

Design/Logic Flaw

Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions...

CVE-2020-2323

Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions...

CVE-2020-2323

Summary: Jenkins Chaos Monkey Plugin 0.4 and earlier lacks permission checks on an HTTP endpoint. This allows attackers with Overall/Read to access the Chaos Monkey page and view action history. Mitigation: Upgrade to version 0.4.1 or later, which requires Overall/Administer permission to access ...

Design/Logic Flaw

Jenkins Implied Labels Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to configure the plugin...

CVE-2020-2282

Jenkins Implied Labels Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to configure the plugin...

Design/Logic Flaw

Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint...