CVE-2021-21696

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier, LTS versions 2.303.2 and earlier

Description The issue is related to the implementation of the FilePath API in the Jenkins automation server, which does not limit agent read/write access to the libs/ directory inside build directories. This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process. The libs/ directory is used by the Pipeline: Shared Groovy Libraries Plugin to store copies of shared libraries.

Recommendations For Jenkins versions 2.318 and earlier, LTS versions 2.303.2 and earlier, update to Jenkins 2.319, LTS 2.303.3 to prohibit agent read/write access to the libs/ directory inside build directories. As a temporary workaround, consider installing the Remoting Security Workaround Plugin, which will prevent all agent-to-controller file access using FilePath APIs. However, note that this plugin is more restrictive and may cause incompatibility with other plugins. Restrict access to the libs/ directory to minimize the risk of exploitation.