CVE-2021-21698

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Subversion Plugin versions 2.15.0 and earlier

Description The issue allows attackers who can control agent processes to read arbitrary files on the Jenkins controller file system. This is because the plugin does not restrict the name of a file when looking up a subversion key file on the controller from an agent.

Recommendations For Jenkins Subversion Plugin versions 2.15.0 and earlier, update to version 2.15.1 or later, which checks for the presence of and prohibits directory separator characters as part of the file name, restricting it to the intended directory.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-21698

GHSA-Q58J-FHJ7-J6FG

RHSA-2021:4799

RHSA-2021:4801

RHSA-2021:4827

RHSA-2021:4829

RHSA-2021:4833

Affected Products

Jenkins

Jenkins Subversion Plugin

CVE-2021-21698

Weakness Enumeration

Related Identifiers

Affected Products

References · 8