jenkins: Multiple vulnerabilities (CVE-2021-21602, CVE-2021-21603, CVE-2021-21604, CVE-2021-21605, CVE-2021-21606, CVE-2021-21607, CVE-2021-21608, CVE-2021-21609, CVE-2021-21610, CVE-2021-21611)
CVE-2021-21602: Arbitrary file read vulnerability in workspace browsers
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.
Note: This issue is caused by an incomplete fix for SECURITY-904 / CVE-2018-1000862 in the 2018-12-08 security advisory.
CVE-2021-21603: XSS vulnerability in notification bar
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button).
CVE-2021-21604: Improper handling of REST API XML deserialization errors
Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.
CVE-2021-21605: Path traversal vulnerability in agent names
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.
CVE-2021-21606: Arbitrary file existence check in file fingerprints
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.
CVE-2021-21607: Excessive memory allocation in graph URLs leads to denial of service
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters. This allows attackers to request or to have legitimate Jenkins users request crafted URLs that rapidly use all available memory in Jenkins, potentially leading to out of memory errors.
CVE-2021-21608: Stored XSS vulnerability in button labels
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI.
CVE-2021-21609: Missing permission check for paths with specific prefix
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.
CVE-2021-21610: Reflected XSS vulnerability in markup formatter preview
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter.
CVE-2021-21611: Stored XSS vulnerability on new item page
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page.
References:
https://www.jenkins.io/security/advisory/2021-01-13/ https://www.openwall.com/lists/oss-security/2021/01/13/3
Affected branches:
-
master (dc5a6fe2) -
3.12-stable