Search for packages
| purl | pkg:rpm/redhat/openshift@4.5.0-202102050524.p0.git.0.9229406?arch=el7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-25cp-rjk4-gfdb
Aliases: CVE-2021-21603 GHSA-98gq-6hxg-52r6 |
XSS vulnerability in Jenkins notification bar Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button). This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents. Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars. | There are no reported fixed by versions. |
|
VCID-25jg-8vxe-1feu
Aliases: CVE-2021-21609 GHSA-4625-q52w-39cx |
Missing permission check for paths with specific prefix in Jenkins Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list. This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required: - `accessDenied` - `error` - `instance-identity` - `login` - `logout` - `oops` - `securityRealm` - `signup` - `tcpSlaveAgentListener` For example, a plugin contributing the path `loginFoo/` would have URLs in that space accessible without the default Overall/Read permission check. The Jenkins security team is not aware of any affected plugins as of the publication of this advisory. The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2. In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `jenkins.model.Jenkins.additionalReadablePaths` is a comma-separated list of additional path prefixes to allow access to. | There are no reported fixed by versions. |
|
VCID-3y23-krs1-yudh
Aliases: CVE-2021-21607 GHSA-cxqw-vjcr-gp5g |
Excessive memory allocation in graph URLs leads to denial of service in Jenkins Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters. This allows attackers to request or to have legitimate Jenkins users request crafted URLs that rapidly use all available memory in Jenkins, potentially leading to out of memory errors. Jenkins 2.275, LTS 2.263.2 limits the maximum size of graphs to an area of 10 million pixels. If a larger size is requested, the default size for the graph will be rendered instead. This threshold can be configured by setting the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.util.Graph.maxArea` to a different number on startup. | There are no reported fixed by versions. |
|
VCID-3ynh-xzxn-jkgy
Aliases: CVE-2021-21602 GHSA-vpjm-58cw-r8q5 |
Arbitrary file read vulnerability in workspace browsers in Jenkins The file browser for workspaces, archived artifacts, and `$JENKINS_HOME/userContent/` follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier. This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser. This issue is caused by an incomplete fix for SECURITY-904 / CVE-2018-1000862 in the [2018-12-08 security advisory](https://www.jenkins.io/security/advisory/2018-12-05/#SECURITY-904). Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads. This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before. | There are no reported fixed by versions. |
|
VCID-4y3h-rxbk-cua1
Aliases: CVE-2021-21606 GHSA-f585-9fw3-rj2m |
Arbitrary file existence check in file fingerprints in Jenkins Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system. This allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters. Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence. | There are no reported fixed by versions. |
|
VCID-53z5-f3xj-z7bf
Aliases: CVE-2020-1945 GHSA-4p6w-m9wc-c9c9 |
Sensitive Data Exposure in Apache Ant Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. | There are no reported fixed by versions. |
|
VCID-5yuh-2e55-hfbt
Aliases: CVE-2021-21611 GHSA-mj7q-cmf3-mg7h |
Stored XSS vulnerability in Jenkins on new item page Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types. As of the publication of this advisory, the Jenkins security team is not aware of any plugins published via the Jenkins project update center that allow doing this. Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on the New Item page. | There are no reported fixed by versions. |
|
VCID-6rk7-hffm-nbau
Aliases: CVE-2021-21610 GHSA-7qf3-c2q8-69m3 |
Reflected XSS vulnerability in Jenkins markup formatter preview Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like [Anything Goes Formatter Plugin](https://plugins.jenkins.io/anything-goes-formatter/). Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly. In case of problems with this change, these protections can be disabled by setting the [Java system properties](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.markup.MarkupFormatter.previewsAllowGET` to `true` and/or `hudson.markup.MarkupFormatter.previewsSetCSP` to `false`. Doing either is discouraged. | There are no reported fixed by versions. |
|
VCID-9zky-rdj1-pudy
Aliases: CVE-2021-21608 GHSA-wv63-gwr9-5c55 |
Stored XSS vulnerability in Jenkins button labels Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI. This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline `input` step. Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI. | There are no reported fixed by versions. |
|
VCID-db62-2h4q-x7fv
Aliases: CVE-2021-21604 GHSA-qv6f-rcv6-6q3x |
Improper handling of REST API XML deserialization errors in Jenkins Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted. This allows attackers with View/Create, Job/Create, Agent/Create, or their respective */Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.\n\nJenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore. In case of problems, the [Java system properties](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.util.RobustReflectionConverter.recordFailuresForAdmins` and `hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications` can be set to true to record configuration data submissions from administrators or all users, partially or completely disabling this fix. | There are no reported fixed by versions. |
|
VCID-evt5-t9pq-n7a7
Aliases: CVE-2021-21615 GHSA-qxp6-27gw-99cj |
Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and `$JENKINS_HOME/userContent/` follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2. This allows attackers with Job/Workspace permission and the ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM contents, to create symbolic links that allow them to access files outside workspaces using the workspace browser. This issue is caused by an incorrectly applied fix for SECURITY-1452 / CVE-2021-21602 in the [2021-01-13 security advisory](https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452). Jenkins 2.276, LTS 2.263.3 no longer differentiates the check and the use of symlinks in workspace browsers. | There are no reported fixed by versions. |
|
VCID-rrnb-9h1s-vkef
Aliases: CVE-2021-21605 GHSA-pxgq-gqr9-5gwx |
Path traversal vulnerability in Jenkins agent names Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated `config.xml` files. If the global `config.xml` file is replaced, Jenkins will start up with unsafe legacy defaults after a restart. Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem. In case of problems, this change can be reverted by setting the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `jenkins.model.Nodes.enforceNameRestrictions` to `false`. | There are no reported fixed by versions. |
|
VCID-unby-h128-v3bk
Aliases: CVE-2020-11979 GHSA-f62v-xpxf-3v68 GHSA-j45w-qrgf-25vm |
Code injection in Apache Ant As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||