‼ CVE-2021-21687 ‼
📖 Read
via "National Vulnerability Database".
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34774 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to access sensitive data on an affected system. This vulnerability exists because the application does not sufficiently protect sensitive data when responding to a specific API request. An attacker could exploit the vulnerability by sending a crafted HTTP request to the affected application. A successful exploit could allow the attacker to obtain sensitive information about the users of the application, including security questions and answers. To exploit this vulnerability an attacker would need valid Administrator credentials. Cisco expects to release software updates that address this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21688 ‼
📖 Read
via "National Vulnerability Database".
The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21685 ‼
📖 Read
via "National Vulnerability Database".
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-1500 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Webex Video Mesh could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the URL parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website. Attackers may use this type of vulnerability, known as an open redirect attack, as part of a phishing attack to persuade users to unknowingly visit malicious sites.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21689 ‼
📖 Read
via "National Vulnerability Database".
FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40113 ‼
📖 Read
via "National Vulnerability Database".
Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions: Log in with a default credential if the Telnet protocol is enabled Perform command injection Modify the configuration For more information about these vulnerabilities, see the Details section of this advisory.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21690 ‼
📖 Read
via "National Vulnerability Database".
Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34701 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an authenticated, remote attacker to access sensitive data on an affected device. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34784 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21698 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40112 ‼
📖 Read
via "National Vulnerability Database".
Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions: Log in with a default credential if the Telnet protocol is enabled Perform command injection Modify the configuration For more information about these vulnerabilities, see the Details section of this advisory.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40119 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user. This vulnerability is due to the re-use of static SSH keys across installations. An attacker could exploit this vulnerability by extracting a key from a system under their control. A successful exploit could allow the attacker to log in to an affected system as the root user.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40124 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the Network Access Manager (NAM) module of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to escalate privileges on an affected device. This vulnerability is due to incorrect privilege assignment to scripts executed before user logon. An attacker could exploit this vulnerability by configuring a script to be executed before logon. A successful exploit could allow the attacker to execute arbitrary code with SYSTEM privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40128 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the account activation feature of Cisco Webex Meetings could allow an unauthenticated, remote attacker to send an account activation email with an activation link that points to an arbitrary domain. This vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by sending a crafted HTTP request to the account activation page of Cisco Webex Meetings. A successful exploit could allow the attacker to send to any recipient an account activation email that contains a tampered activation link, which could direct the user to an attacker-controlled website.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34773 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. These actions could include modifying the device configuration and deleting (but not creating) user accounts.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21693 ‼
📖 Read
via "National Vulnerability Database".
When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21696 ‼
📖 Read
via "National Vulnerability Database".
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21694 ‼
📖 Read
via "National Vulnerability Database".
FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.📖 Read
via "National Vulnerability Database".
🦿 You can configure SSH to use a non-standard port with SELinux set to enforcing 🦿
📖 Read
via "Tech Republic".
Switching the SSH listening port is an easy way to help secure remote login on your Linux servers. Jack Wallen shows you how.📖 Read
via "Tech Republic".
TechRepublic
You can configure SSH to use a non-standard port with SELinux set to enforcing
Switching the SSH listening port is an easy way to help secure remote login on your Linux servers. Jack Wallen shows you how.
🔏 Latest National Data Privacy Legislation Aims to Protect Consumer Data 🔏
📖 Read
via "".
Legislation introduced last week would establish national data privacy standards, mirror elements of the CCPA and require companies to use high-quality data protection standards.📖 Read
via "".
Digital Guardian
Latest National Data Privacy Legislation Aims to Protect Consumer Data
Legislation introduced last week would establish national data privacy standards, mirror elements of the CCPA and require companies to use high-quality data protection standards.