CVE-2021-21697

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier, LTS versions 2.303.2 and earlier

Description The issue is related to the use of an incomplete blacklist in Jenkins, allowing any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. This can be exploited by a remote attacker to access build-related information. The vulnerability affects the directories storing build-related information, including build.xml and some Pipeline-related metadata.

Recommendations For Jenkins versions 2.318 and earlier, LTS versions 2.303.2 and earlier, update to Jenkins 2.319, LTS 2.303.3 to prevent agents from accessing contents of build directories unless it’s for builds currently running on the agent attempting to access the directory. Alternatively, install the Remoting Security Workaround Plugin to prevent all agent-to-controller file access using FilePath APIs, but be aware that it may be more restrictive and incompatible with some plugins. Additionally, update the Pipeline: Nodes and Processes plugin to version 2.40 or newer to associate Pipeline node blocks with the agent they’re running on.