CVE-2021-21695

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier Jenkins LTS versions 2.303.2 and earlier

Description The issue is related to the FilePath#listFiles component of the Jenkins automation server, which lacks an authorization procedure. This can be exploited by a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability allows FilePath#listFiles to list files outside directories that agents are allowed to access when following symbolic links.

Recommendations For Jenkins versions 2.318 and earlier, consider restricting access to the FilePath#listFiles component until a patch is available. For Jenkins LTS versions 2.303.2 and earlier, consider disabling the listFiles function to minimize the risk of exploitation. As a temporary workaround, avoid using the FilePath#listFiles component in sensitive areas of the Jenkins server until the issue is resolved.