CVE-2021-21686

CVSS v3.1

9.0

Critical

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier Jenkins LTS versions 2.303.2 and earlier

Description The issue is related to the agent-to-controller security subsystem of Jenkins, where file path filters do not canonicalize paths. This allows operations to follow symbolic links to outside allowed directories, potentially compromising the confidentiality and integrity of protected information.

Recommendations For Jenkins versions 2.318 and earlier, update to a version that fixes the issue. For Jenkins LTS versions 2.303.2 and earlier, update to a version that fixes the issue. As a temporary workaround, consider restricting access to sensitive directories to minimize the risk of exploitation.

Fix

Link Following

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59CWE-22

Related Identifiers

BDU:2021-06108

BIT-JENKINS-2021-21686

CVE-2021-21686

GHSA-4G38-HRM4-RG94

RHSA-2021:4799

RHSA-2021:4801

RHSA-2021:4827

RHSA-2021:4829

RHSA-2021:4833

Affected Products

Jenkins

CVE-2021-21686

Weakness Enumeration

Related Identifiers

Affected Products

References · 14