VulnerableCode Package Details - pkg:rpm/redhat/redhat-release-coreos@47.83-2?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-869x-tjbg-dkbr Aliases: CVE-2021-21642 GHSA-q7xg-hh3q-hc68	XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.	There are no reported fixed by versions.
VCID-dwge-3up7-yyaq Aliases: CVE-2020-16845 GHSA-q6gq-997w-f55g	Withdrawn Advisory: Infinite loop in xz ### Withdrawn Advisory This advisory has been withdrawn because alerts cannot be issued for the Go standard library at this time. ### Original Description Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.	There are no reported fixed by versions.
VCID-sztq-6p4h-b7ex Aliases: CVE-2021-21644 GHSA-998m-f2x3-jjq4	CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID. This is due to an incomplete fix of [SECURITY-938](https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-938). Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.	There are no reported fixed by versions.
VCID-u2dp-1t5z-z7dm Aliases: CVE-2021-21645 GHSA-2959-fj73-hm8p	Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 requires the appropriate permissions.	There are no reported fixed by versions.
VCID-w9qm-pwnh-4ydj Aliases: CVE-2020-15586	golang: data race in certain net/http servers including ReverseProxy can lead to DoS	There are no reported fixed by versions.
VCID-xmyr-jaue-7ker Aliases: CVE-2021-21643 GHSA-3m3f-2323-64m7	Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of system-scoped credentials IDs in Jenkins Config File Provider Plugin 3.7.1 requires Overall/Administer permission.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-869x-tjbg-dkbr
Aliases:
CVE-2021-21642
GHSA-q7xg-hh3q-hc68

XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.