CVE-2021-21602

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.274 and earlier, LTS versions 2.263.1 and earlier

Description The issue allows attackers to read arbitrary files using the file browser for workspaces and archived artifacts by following symlinks. This is possible because the file browser for workspaces, archived artifacts, and $JENKINS HOME/userContent/ follows symbolic links to locations outside the directory being browsed. Attackers with Job/Workspace permission and the ability to control workspace contents can create symbolic links to access files outside workspaces using the workspace browser.

Recommendations For Jenkins versions 2.274 and earlier, update to version 2.275 or later to resolve the issue. For LTS versions 2.263.1 and earlier, update to version 2.263.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the workspace browser and archived artifacts to minimize the risk of exploitation.