The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.249.x prior to 2.249.31.0.1-2, or 2.x prior to 2.277.3.1-2. It is, therefore, affected by multiple vulnerabilities, including the following:

  - Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML     external entity (XXE) attacks. (CVE-2021-21642)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier     allows attackers to delete configuration files corresponding to an attacker-specified ID. (CVE-2021-21644)

  - Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script     Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context     of the Jenkins controller JVM. (CVE-2021-21646)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Jenkins Enterprise and Operations Center < 2.249.31.0.1-2 / 2.277.3.1-2 Multiple Vulnerabilities (CloudBees Security Advisory 2021-04-21)

high Nessus Plugin ID 155628

No changelogs found