CVE-2021-21615

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.275 through 2.275 Jenkins LTS versions 2.263.2 through 2.263.2

Description The issue is caused by a time-of-check to time-of-use (TOCTOU) race condition, allowing attackers to read arbitrary files using the file browser for workspaces and archived artifacts. This is due to the file browser following symbolic links to locations outside the directory being browsed. Attackers with Job/Workspace permission and the ability to control workspace contents can create symbolic links to access files outside workspaces using the workspace browser.

Recommendations For Jenkins version 2.275, update to version 2.276 or later to resolve the issue. For Jenkins LTS version 2.263.2, update to version 2.263.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the workspace browser and archived artifacts to minimize the risk of exploitation.