CVE-2021-21687

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier Jenkins LTS versions 2.303.2 and earlier

Description The issue concerns the creation of symbolic links when unarchiving a symbolic link in FilePath#untar. Specifically, it does not check agent-to-controller access, which can lead to security issues.

Recommendations For Jenkins versions 2.318 and earlier, consider restricting access to the FilePath#untar function until a patch is available. For Jenkins LTS versions 2.303.2 and earlier, consider disabling the untar functionality in FilePath to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BIT-JENKINS-2021-21687

CVE-2021-21687

GHSA-3Q84-VRVX-RFVF

RHSA-2021:4799

RHSA-2021:4801

RHSA-2021:4827

RHSA-2021:4829

RHSA-2021:4833

Affected Products

Jenkins

CVE-2021-21687

Weakness Enumeration

Related Identifiers

Affected Products

References · 8