CVE-2021-21606

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.274 and earlier Jenkins LTS versions 2.263.1 and earlier

Description The issue arises from improper validation of the format of a provided fingerprint ID when checking for its existence. This allows an attacker to check for the existence of XML files with a short path. The vulnerability is related to a REST API endpoint that does not fully validate the provided fingerprint ID before checking for the XML metadata on the controller file system. This enables attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters.

Recommendations For Jenkins versions 2.274 and earlier, update to version 2.275 or later. For Jenkins LTS versions 2.263.1 and earlier, update to version 2.263.2 or later.