The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.249.x prior to 2.249.31.0.1-2, or 2.x prior to 2.277.3.1-2. It is, therefore, affected by multiple vulnerabilities, including the following:

  - Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML     external entity (XXE) attacks. (CVE-2021-21642)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier     allows attackers to delete configuration files corresponding to an attacker-specified ID. (CVE-2021-21644)

  - Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script     Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context     of the Jenkins controller JVM. (CVE-2021-21646)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2431 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing     Kubernetes application platform solution designed for on-premise or private     cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container     Platform 4.5.41. See the following advisory for the container images for     this release:

    https://access.redhat.com/errata/RHSA-2021:2430

    Security Fix(es):

    * jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity     (XXE) attacks. (CVE-2021-21642)

    * jetty: local temporary directory hijacking vulnerability (CVE-2020-27216)

    * jetty: buffer not correctly recycled in Gzip Request inflation (CVE-2020-27218)

    * jetty: request containing multiple Accept headers with a large number of quality parameters may lead     to DoS (CVE-2020-27223)

    * jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP     endpoints. (CVE-2021-21643)

    * jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting     in a cross-site request forgery (CSRF) vulnerability. (CVE-2021-21644)

    * jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.
    (CVE-2021-21645)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * Placeholder bug for OCP 4.5.41 rpm release (BZ#1972114)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2122 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.13. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2021:2121

    Security Fix(es):

    * jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity     (XXE) attacks. (CVE-2021-21642)

    * golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)

    * golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs     (CVE-2020-16845)

    * jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP     endpoints. (CVE-2021-21643)

    * jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting     in a cross-site request forgery (CSRF) vulnerability. (CVE-2021-21644)

    * jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.
    (CVE-2021-21645)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-     minor.html#understanding-upgrade-channels_updating-cluster-between-minor

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2517 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.11.462. See the     following advisory for the container images for this release:

    https://access.redhat.com/errata/RHBA-2021:2516

    Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following     Release Notes documentation, which will be updated shortly for this release, for details about these     changes:

    https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html

    All OpenShift Container Platform 3.11 users are advised to upgrade to these updated packages and images.

    Security Fix(es):

    * jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity     (XXE) attacks. (CVE-2021-21642)

    * jetty: local temporary directory hijacking vulnerability (CVE-2020-27216)

    * jetty: buffer not correctly recycled in Gzip Request inflation (CVE-2020-27218)

    * jetty: request containing multiple Accept headers with a large number of quality parameters may lead     to DoS (CVE-2020-27223)

    * jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP     endpoints. (CVE-2021-21643)

    * jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting     in a cross-site request forgery (CSRF) vulnerability. (CVE-2021-21644)

    * jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.
    (CVE-2021-21645)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
155628	Jenkins Enterprise and Operations Center < 2.249.31.0.1-2 / 2.277.3.1-2 Multiple Vulnerabilities (CloudBees Security Advisory 2021-04-21)	Nessus	CGI abuses	11/19/2021	6/4/2024	high
151290	RHEL 7 : OpenShift Container Platform 4.5.41 (RHSA-2021:2431)	Nessus	Red Hat Local Security Checks	7/2/2021	11/7/2024	high
165147	RHEL 7 / 8 : OpenShift Container Platform 4.7.13 (RHSA-2021:2122)	Nessus	Red Hat Local Security Checks	9/15/2022	11/7/2024	high
151276	RHEL 7 : OpenShift Container Platform 3.11.462 (RHSA-2021:2517)	Nessus	Red Hat Local Security Checks	7/1/2021	11/7/2024	high

Detections

Analytics

Plugins Search

high

high

high

high