Search for packages
| purl | pkg:maven/org.jenkins-ci.main/jenkins-core@2.304 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1kf2-8j67-7kg3
Aliases: CVE-2021-21686 GHSA-4g38-hrm4-rg94 |
Improper Link Resolution Before File Access ('Link Following') File path filters in the agent-to-controller security subsystem of Jenkins do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. |
Affected by 0 other vulnerabilities. |
|
VCID-4m6t-zty2-b3d6
Aliases: CVE-2021-21682 GHSA-6q4g-84f3-mw74 |
Improper Encoding or Escaping of Output Jenkins accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows. |
Affected by 0 other vulnerabilities. |
|
VCID-53km-desw-w7d6
Aliases: CVE-2021-21696 GHSA-c5r9-rx53-q3gf |
Protection Mechanism Failure Jenkins does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process. |
Affected by 0 other vulnerabilities. |
|
VCID-7w87-bm8n-bbbr
Aliases: CVE-2021-21688 GHSA-m9hr-259f-2v23 |
Missing Authorization The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo). |
Affected by 0 other vulnerabilities. |
|
VCID-b4zg-38x9-23dn
Aliases: CVE-2021-21687 GHSA-3q84-vrvx-rfvf |
Missing Authorization Jenkins does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar. |
Affected by 0 other vulnerabilities. |
|
VCID-fvza-3rhj-8kbp
Aliases: CVE-2021-21690 GHSA-97c3-w9cr-6qc2 |
Protection Mechanism Failure Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins. |
Affected by 0 other vulnerabilities. |
|
VCID-h3nf-gwsr-5qf3
Aliases: CVE-2021-21694 GHSA-pgj6-jmj5-wqfx |
Missing Authorization File operations do not check any permissions in Jenkins. |
Affected by 0 other vulnerabilities. |
|
VCID-kf3a-yce1-auh4
Aliases: CVE-2021-21691 GHSA-2c79-h2h5-g3fw |
Incorrect Authorization Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins. |
Affected by 0 other vulnerabilities. |
|
VCID-nq1x-s9hz-a7fb
Aliases: CVE-2021-21695 GHSA-cvvm-4cr9-r436 |
Missing Authorization FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins. |
Affected by 0 other vulnerabilities. |
|
VCID-r3ry-745m-zuh1
Aliases: CVE-2021-21689 GHSA-j3cq-h6vh-gx7f |
Missing Authorization FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins. |
Affected by 0 other vulnerabilities. |
|
VCID-r3v1-qkky-dqcq
Aliases: CVE-2021-21685 GHSA-58xm-mxjf-254g |
Missing Authorization Jenkins does not check agent-to-controller access to create parent directories in FilePath#mkdirs. |
Affected by 0 other vulnerabilities. |
|
VCID-remx-jas5-1bfm
Aliases: CVE-2021-21692 GHSA-8xg4-xq2v-v6j7 |
Incorrect Authorization FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins only check 'read' agent-to-controller access permission on the source path, instead of 'delete'. |
Affected by 0 other vulnerabilities. |
|
VCID-tdb7-6gx7-1ucr
Aliases: CVE-2021-21683 GHSA-4pw5-r58h-fv24 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The file browser in Jenkins may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files. |
Affected by 0 other vulnerabilities. |
|
VCID-wuvf-kdtu-tkc2
Aliases: CVE-2021-21693 GHSA-929w-q433-4h9x |
Improper Authorization When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins. |
Affected by 0 other vulnerabilities. |
|
VCID-zgtd-8mf6-ruc9
Aliases: CVE-2021-21697 GHSA-cv2w-q8c3-xjv7 |
Incomplete List of Disallowed Inputs Jenkins allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T16:02:18.750199+00:00 | GHSA Importer | Affected by | VCID-1kf2-8j67-7kg3 | https://github.com/advisories/GHSA-4g38-hrm4-rg94 | 38.0.0 |
| 2026-04-01T16:02:18.638043+00:00 | GHSA Importer | Affected by | VCID-kf3a-yce1-auh4 | https://github.com/advisories/GHSA-2c79-h2h5-g3fw | 38.0.0 |
| 2026-04-01T16:02:18.607298+00:00 | GHSA Importer | Affected by | VCID-b4zg-38x9-23dn | https://github.com/advisories/GHSA-3q84-vrvx-rfvf | 38.0.0 |
| 2026-04-01T16:02:18.579916+00:00 | GHSA Importer | Affected by | VCID-7w87-bm8n-bbbr | https://github.com/advisories/GHSA-m9hr-259f-2v23 | 38.0.0 |
| 2026-04-01T16:02:18.469440+00:00 | GHSA Importer | Affected by | VCID-r3ry-745m-zuh1 | https://github.com/advisories/GHSA-j3cq-h6vh-gx7f | 38.0.0 |
| 2026-04-01T16:02:18.435219+00:00 | GHSA Importer | Affected by | VCID-h3nf-gwsr-5qf3 | https://github.com/advisories/GHSA-pgj6-jmj5-wqfx | 38.0.0 |
| 2026-04-01T16:02:18.345062+00:00 | GHSA Importer | Affected by | VCID-fvza-3rhj-8kbp | https://github.com/advisories/GHSA-97c3-w9cr-6qc2 | 38.0.0 |
| 2026-04-01T16:02:18.310894+00:00 | GHSA Importer | Affected by | VCID-remx-jas5-1bfm | https://github.com/advisories/GHSA-8xg4-xq2v-v6j7 | 38.0.0 |
| 2026-04-01T16:02:18.249149+00:00 | GHSA Importer | Affected by | VCID-r3v1-qkky-dqcq | https://github.com/advisories/GHSA-58xm-mxjf-254g | 38.0.0 |
| 2026-04-01T16:02:18.213996+00:00 | GHSA Importer | Affected by | VCID-wuvf-kdtu-tkc2 | https://github.com/advisories/GHSA-929w-q433-4h9x | 38.0.0 |
| 2026-04-01T16:02:18.177829+00:00 | GHSA Importer | Affected by | VCID-nq1x-s9hz-a7fb | https://github.com/advisories/GHSA-cvvm-4cr9-r436 | 38.0.0 |
| 2026-04-01T16:02:18.095768+00:00 | GHSA Importer | Affected by | VCID-zgtd-8mf6-ruc9 | https://github.com/advisories/GHSA-cv2w-q8c3-xjv7 | 38.0.0 |
| 2026-04-01T16:02:18.036020+00:00 | GHSA Importer | Affected by | VCID-53km-desw-w7d6 | https://github.com/advisories/GHSA-c5r9-rx53-q3gf | 38.0.0 |
| 2026-04-01T16:02:16.897205+00:00 | GHSA Importer | Affected by | VCID-4m6t-zty2-b3d6 | https://github.com/advisories/GHSA-6q4g-84f3-mw74 | 38.0.0 |
| 2026-04-01T16:02:16.810850+00:00 | GHSA Importer | Affected by | VCID-tdb7-6gx7-1ucr | https://github.com/advisories/GHSA-4pw5-r58h-fv24 | 38.0.0 |