CVE-2021-21690

CVSS v3.1

Critical

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier, LTS versions 2.303.2 and earlier

Description The issue is related to a bypass of the file path filtering mechanism in Jenkins, allowing an attacker to impact the confidentiality, integrity, and availability of protected information. This can be achieved by wrapping the file operation in an agent file path.

Recommendations For Jenkins versions 2.318 and earlier, consider disabling the agent file path wrapping feature until a patch is available. For LTS versions 2.303.2 and earlier, restrict access to the agent file path to minimize the risk of exploitation. As a temporary workaround, avoid using the agent file path in Jenkins until the issue is resolved.

Fix

Protection Mechanism Failure

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693CWE-22

Related Identifiers

BDU:2021-06111

BIT-JENKINS-2021-21690

CVE-2021-21690

GHSA-97C3-W9CR-6QC2

RHSA-2021:4799

RHSA-2021:4801

RHSA-2021:4827

RHSA-2021:4829

RHSA-2021:4833

Affected Products

Jenkins

CVE-2021-21690

Weakness Enumeration

Related Identifiers

Affected Products

References · 14