Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Bumblebee HP ALM Plugin
*   TICS Plugin
*   TraceTronic ECU-TEST Plugin

**Descriptions****XSS vulnerability in notification bar**

**SECURITY-1889 / CVE-2021-21603**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button).

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents.

Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.

**Stored XSS vulnerability in button labels**

**SECURITY-2035 / CVE-2021-21608**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI.

This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline input step.

Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI.

**Reflected XSS vulnerability in markup formatter preview**

**SECURITY-2153 / CVE-2021-21610**  
**Severity (CVSS):** High  
**Description:**

Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like Anything Goes Formatter Plugin.

Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.

In case of problems with this change, these protections can be disabled by setting the Java system properties hudson.markup.MarkupFormatter.previewsAllowGET to true and/or hudson.markup.MarkupFormatter.previewsSetCSP to false. Doing either is discouraged.

**Stored XSS vulnerability on new item page**

**SECURITY-2171 / CVE-2021-21611**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

As of the publication of this advisory, the Jenkins security team is not aware of any plugins published via the Jenkins project update center that allow doing this.

Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on the New Item page.

**Improper handling of REST API XML deserialization errors**

**SECURITY-1923 / CVE-2021-21604**  
**Severity (CVSS):** High  
**Description:**

Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.

This allows attackers with View/Create, Job/Create, Agent/Create, or their respective \*/Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.

Jenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore.

In case of problems, the Java system properties hudson.util.RobustReflectionConverter.recordFailuresForAdmins and hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications can be set to true to record configuration data submissions from administrators or all users, partially or completely disabling this fix.

**Arbitrary file read vulnerability in workspace browsers**

**SECURITY-1452 / CVE-2021-21602**  
**Severity (CVSS):** Medium  
**Description:**

The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.

This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.

Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.

This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.

**Path traversal vulnerability in agent names**

**SECURITY-2021 / CVE-2021-21605**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.

Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.

In case of problems, this change can be reverted by setting the Java system property jenkins.model.Nodes.enforceNameRestrictions to false.

**Arbitrary file existence check in file fingerprints**

**SECURITY-2023 / CVE-2021-21606**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system.

This allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters.

Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence.

**Excessive memory allocation in graph URLs leads to denial of service**

**SECURITY-2025 / CVE-2021-21607**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters.

This allows attackers to request or to have legitimate Jenkins users request crafted URLs that rapidly use all available memory in Jenkins, potentially leading to out of memory errors.

Jenkins 2.275, LTS 2.263.2 limits the maximum size of graphs to an area of 10 million pixels. If a larger size is requested, the default size for the graph will be rendered instead.

This threshold can be configured by setting the Java system property hudson.util.Graph.maxArea to a different number on startup.

**Missing permission check for paths with specific prefix**

**SECURITY-2047 / CVE-2021-21609**  
**Severity (CVSS):** Low  
**Description:**

Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.

This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:

*   accessDenied
    
*   error
    
*   instance-identity
    
*   login
    
*   logout
    
*   oops
    
*   securityRealm
    
*   signup
    
*   tcpSlaveAgentListener
    

For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check.

The Jenkins security team is not aware of any affected plugins as of the publication of this advisory.

The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.

In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The Java system property jenkins.model.Jenkins.additionalReadablePaths is a comma-separated list of additional path prefixes to allow access to.

**Credentials stored in plain text by TraceTronic ECU-TEST Plugin**

**SECURITY-2057 / CVE-2021-21612**  
**Severity (CVSS):** Low  
**Affected plugin: ecutest**  
**Description:**

TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file de.tracetronic.jenkins.plugins.ecutest.report.atx.installation.ATXInstallation.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

TraceTronic ECU-TEST Plugin 2.24 adds a new option type for sensitive options. Previously stored credentials are migrated to that option type on Jenkins startup.

**XSS vulnerability in TICS Plugin**

**SECURITY-2098 / CVE-2021-21613**  
**Severity (CVSS):** High  
**Affected plugin: tics**  
**Description:**

TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

TICS Plugin 2020.3.0.7 escapes TICS service responses, or strips HTML out, as appropriate.

**Credentials stored in plain text by Bumblebee HP ALM Plugin**

**SECURITY-2156 / CVE-2021-21614**  
**Severity (CVSS):** Low  
**Affected plugin: bumblebee**  
**Description:**

Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

Bumblebee HP ALM Plugin 4.1.6 stores credentials encrypted once its configuration is saved again.

**Severity**

*   SECURITY-1452: Medium
*   SECURITY-1889: High
*   SECURITY-1923: High
*   SECURITY-2021: High
*   SECURITY-2023: Medium
*   SECURITY-2025: Medium
*   SECURITY-2035: High
*   SECURITY-2047: Low
*   SECURITY-2057: Low
*   SECURITY-2098: High
*   SECURITY-2153: High
*   SECURITY-2156: Low
*   SECURITY-2171: High

**Affected Versions**

*   **Jenkins weekly** up to and including 2.274
*   **Jenkins LTS** up to and including 2.263.1
*   **Bumblebee HP ALM Plugin** up to and including 4.1.5
*   **TICS Plugin** up to and including 2020.3.0.6
*   **TraceTronic ECU-TEST Plugin** up to and including 2.23.1

**Fix**

*   **Jenkins weekly** should be updated to version 2.275
*   **Jenkins LTS** should be updated to version 2.263.2
*   **Bumblebee HP ALM Plugin** should be updated to version 4.1.6
*   **TICS Plugin** should be updated to version 2020.3.0.7
*   **TraceTronic ECU-TEST Plugin** should be updated to version 2.24

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2047, SECURITY-2098, SECURITY-2153
*   **Ismail Aydemir at d0nkeysec.org** for SECURITY-1923
*   **Jeff Thompson, CloudBees, Inc., Matt Sicker, CloudBees, Inc., and Wadeck Follonier, CloudBees, Inc.** for SECURITY-1889
*   **Jesse Glick, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2171
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2057
*   **Matt Sicker, CloudBees, Inc. and Jesse Glick, CloudBees, Inc.** for SECURITY-2035
*   **Son Nguyen (@s0nnguy3n\_)** for SECURITY-2156
*   **Travis Emmert from Apple Information Security** for SECURITY-1452
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2021, SECURITY-2023, SECURITY-2025

CVE-2021-21603: Jenkins Security Advisory 2021-01-13

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

CVE-2021-21611: Jenkins Security Advisory 2021-01-13

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.

CVE-2021-21608: Jenkins Security Advisory 2021-01-13

Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

CVE-2021-21613: Jenkins Security Advisory 2021-01-13

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Bumblebee HP ALM Plugin
*   TICS Plugin
*   TraceTronic ECU-TEST Plugin

**Descriptions****XSS vulnerability in notification bar**

**SECURITY-1889 / CVE-2021-21603**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button).

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents.

Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.

**Stored XSS vulnerability in button labels**

**SECURITY-2035 / CVE-2021-21608**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI.

This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline input step.

Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI.

**Reflected XSS vulnerability in markup formatter preview**

**SECURITY-2153 / CVE-2021-21610**  
**Severity (CVSS):** High  
**Description:**

Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like Anything Goes Formatter Plugin.

Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.

In case of problems with this change, these protections can be disabled by setting the Java system properties hudson.markup.MarkupFormatter.previewsAllowGET to true and/or hudson.markup.MarkupFormatter.previewsSetCSP to false. Doing either is discouraged.

**Stored XSS vulnerability on new item page**

**SECURITY-2171 / CVE-2021-21611**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

As of the publication of this advisory, the Jenkins security team is not aware of any plugins published via the Jenkins project update center that allow doing this.

Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on the New Item page.

**Improper handling of REST API XML deserialization errors**

**SECURITY-1923 / CVE-2021-21604**  
**Severity (CVSS):** High  
**Description:**

Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.

This allows attackers with View/Create, Job/Create, Agent/Create, or their respective \*/Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.

Jenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore.

In case of problems, the Java system properties hudson.util.RobustReflectionConverter.recordFailuresForAdmins and hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications can be set to true to record configuration data submissions from administrators or all users, partially or completely disabling this fix.

**Arbitrary file read vulnerability in workspace browsers**

**SECURITY-1452 / CVE-2021-21602**  
**Severity (CVSS):** Medium  
**Description:**

The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.

This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.

Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.

This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.

**Path traversal vulnerability in agent names**

**SECURITY-2021 / CVE-2021-21605**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.

Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.

In case of problems, this change can be reverted by setting the Java system property jenkins.model.Nodes.enforceNameRestrictions to false.

**Arbitrary file existence check in file fingerprints**

**SECURITY-2023 / CVE-2021-21606**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system.

This allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters.

Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence.

**Excessive memory allocation in graph URLs leads to denial of service**

**SECURITY-2025 / CVE-2021-21607**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters.

This allows attackers to request or to have legitimate Jenkins users request crafted URLs that rapidly use all available memory in Jenkins, potentially leading to out of memory errors.

Jenkins 2.275, LTS 2.263.2 limits the maximum size of graphs to an area of 10 million pixels. If a larger size is requested, the default size for the graph will be rendered instead.

This threshold can be configured by setting the Java system property hudson.util.Graph.maxArea to a different number on startup.

**Missing permission check for paths with specific prefix**

**SECURITY-2047 / CVE-2021-21609**  
**Severity (CVSS):** Low  
**Description:**

Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.

This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:

*   accessDenied
    
*   error
    
*   instance-identity
    
*   login
    
*   logout
    
*   oops
    
*   securityRealm
    
*   signup
    
*   tcpSlaveAgentListener
    

For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check.

The Jenkins security team is not aware of any affected plugins as of the publication of this advisory.

The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.

In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The Java system property jenkins.model.Jenkins.additionalReadablePaths is a comma-separated list of additional path prefixes to allow access to.

**Credentials stored in plain text by TraceTronic ECU-TEST Plugin**

**SECURITY-2057 / CVE-2021-21612**  
**Severity (CVSS):** Low  
**Affected plugin: ecutest**  
**Description:**

TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file de.tracetronic.jenkins.plugins.ecutest.report.atx.installation.ATXInstallation.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

TraceTronic ECU-TEST Plugin 2.24 adds a new option type for sensitive options. Previously stored credentials are migrated to that option type on Jenkins startup.

**XSS vulnerability in TICS Plugin**

**SECURITY-2098 / CVE-2021-21613**  
**Severity (CVSS):** High  
**Affected plugin: tics**  
**Description:**

TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

TICS Plugin 2020.3.0.7 escapes TICS service responses, or strips HTML out, as appropriate.

**Credentials stored in plain text by Bumblebee HP ALM Plugin**

**SECURITY-2156 / CVE-2021-21614**  
**Severity (CVSS):** Low  
**Affected plugin: bumblebee**  
**Description:**

Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

Bumblebee HP ALM Plugin 4.1.6 stores credentials encrypted once its configuration is saved again.

**Severity**

*   SECURITY-1452: Medium
*   SECURITY-1889: High
*   SECURITY-1923: High
*   SECURITY-2021: High
*   SECURITY-2023: Medium
*   SECURITY-2025: Medium
*   SECURITY-2035: High
*   SECURITY-2047: Low
*   SECURITY-2057: Low
*   SECURITY-2098: High
*   SECURITY-2153: High
*   SECURITY-2156: Low
*   SECURITY-2171: High

**Affected Versions**

*   Jenkins weekly up to and including 2.274
*   Jenkins LTS up to and including 2.263.1
*   **Bumblebee HP ALM Plugin** up to and including 4.1.5
*   **TICS Plugin** up to and including 2020.3.0.6
*   **TraceTronic ECU-TEST Plugin** up to and including 2.23.1

**Fix**

*   Jenkins weekly should be updated to version 2.275
*   Jenkins LTS should be updated to version 2.263.2
*   **Bumblebee HP ALM Plugin** should be updated to version 4.1.6
*   **TICS Plugin** should be updated to version 2020.3.0.7
*   **TraceTronic ECU-TEST Plugin** should be updated to version 2.24

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2047, SECURITY-2098, SECURITY-2153
*   **Ismail Aydemir at d0nkeysec.org** for SECURITY-1923
*   **Jeff Thompson, CloudBees, Inc., Matt Sicker, CloudBees, Inc., and Wadeck Follonier, CloudBees, Inc.** for SECURITY-1889
*   **Jesse Glick, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2171
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2057
*   **Matt Sicker, CloudBees, Inc. and Jesse Glick, CloudBees, Inc.** for SECURITY-2035
*   **Son Nguyen (@s0nnguy3n\_)** for SECURITY-2156
*   **Travis Emmert from Apple Information Security** for SECURITY-1452
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2021, SECURITY-2023, SECURITY-2025

CVE-2021-21605: Jenkins Security Advisory 2021-01-13

The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system.

CVE-2021-21465

The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

CVE-2021-23239: Stable Release

An issue was discovered in the ws crate through 2020-09-25 for Rust. The outgoing buffer is not properly limited, leading to a remote memory-consumption attack.

History ⋅ Edit

**RUSTSEC-2020-0043**

Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory

Issued

September 25, 2020

Package

ws (crates.io)

Type

Vulnerability

Categories

*   denial-of-service

Keywords

#websocket #dos #ddos #oom #memory #remotely

Aliases

*   CVE-2020-35896

Details

https://github.com/housleyjk/ws-rs/issues/291

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

no patched versions

**Description**

Affected versions of this crate did not properly check and cap the growth of the outgoing buffer.

This allows a remote attacker to take down the process by growing the buffer of their (single) connection until the process runs out of memory it can allocate and is killed.

The flaw was corrected in the parity-ws fork (>=0.10.0) by disconnecting a client when the buffer runs full.

CVE-2020-35896: Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory › RustSec Advisory Database

miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program.

@@ -2603,8 +2603,9 @@ sub handle\_request

if ($on\_windows) {

# Run the CGI program, and feed it input

chdir($ENV{"PWD"});

local $qqueryargs = join(" ", map { "\\"$\_\\"" }

split(/\\s+/, $queryargs));

local $qqueryargs = join(" ",

map { s/(\[<>|&"^\])/^$1/g; "\\"$\_\\"" }

split(/\\s+/, $queryargs));

if ($first =~ /(perl|perl.exe)$/i) {

# On Windows, run with Perl

open(CGIOUTr, "$perl\_path \\"$full\\" $qqueryargs <$infile |");

CVE-2020-35769: Always use IPv6 if a v6 address was given https://github.com/webmin/w… · webmin/webmin@1163f3a

smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurations, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted pattern of client activity, because the filter state machine does not properly maintain the I/O channel between the SMTP engine and the filters layer.

Permalink

Browse files

smtpd's filter state machine can prematurely release resources

leading to a crash.  From gilles@

*   Loading branch information

millert committed

Dec 23, 2020

1 parent a02f695 commit 6c3220444ed06b5796dedfd53a0f4becd903c0d1

Showing **1 changed file** with **1 addition** and **6 deletions**.

@@ -1,4 +1,4 @@

/\* $OpenBSD: lka\_filter.c,v 1.64 2020/12/20 13:27:46 martijn Exp $ \*/

/\* $OpenBSD: lka\_filter.c,v 1.65 2020/12/23 20:17:49 millert Exp $ \*/

  

/\*

\* Copyright (c) 2018 Gilles Chehade <gilles@poolp.org>

@@ -600,11 +600,6 @@ filter\_session\_io(struct io \*io, int evt, void \*arg)

filter\_data(fs->id, line);

  

goto nextline;

  

case IO\_DISCONNECTED:

io\_free(fs->io);

fs->io = NULL;

break;

}

}

  

**0 comments on commit 6c32204**

Please sign in to comment.

Tag

#perl