CVE-2021-21683

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.314 and earlier Jenkins LTS versions 2.303.1 and earlier

Description The file browser in Jenkins may interpret some paths to files as absolute on Windows, resulting in a path traversal issue. This allows attackers with Overall/Read permission on Windows controllers or Job/Workspace permission on Windows agents to obtain the contents of arbitrary files. The issue affects the file browser for workspaces, archived artifacts, and userContent/.

Recommendations For Jenkins versions 2.314 and earlier, update to version 2.315 or later to resolve the issue. For Jenkins LTS versions 2.303.1 and earlier, update to version 2.303.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the file browser for workspaces, archived artifacts, and userContent/ to minimize the risk of exploitation.