CVE-2021-21605

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.274 and earlier, LTS versions 2.263.1 and earlier

Description The issue allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global config.xml file. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart. This can be exploited by choosing specific agent names.

Recommendations For versions 2.274 and earlier, LTS 2.263.1 and earlier, update to Jenkins 2.275, LTS 2.263.2 to ensure that agent names are considered valid names for items to prevent this problem. As a temporary workaround, consider setting the Java system property jenkins.model.Nodes.enforceNameRestrictions to true to enforce name restrictions. Note that this change can be reverted by setting the Java system property jenkins.model.Nodes.enforceNameRestrictions to false if problems occur.