CVE-2021-21685

CVSS v3.1

9.4

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier Jenkins LTS versions 2.303.2 and earlier

Description The issue is related to a lack of authorization procedure in the Jenkins automation server. This allows a remote attacker to create parent directories in FilePath#mkdirs.

Recommendations For Jenkins versions 2.318 and earlier, consider disabling the FilePath#mkdirs function until a patch is available. For Jenkins LTS versions 2.303.2 and earlier, restrict access to the FilePath#mkdirs function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BDU:2021-06110

BIT-JENKINS-2021-21685

CVE-2021-21685

GHSA-58XM-MXJF-254G

RHSA-2021:4799

RHSA-2021:4801

RHSA-2021:4827

RHSA-2021:4829

RHSA-2021:4833

Affected Products

Jenkins

CVE-2021-21685

Weakness Enumeration

Related Identifiers

Affected Products

References · 15