CVE-2021-21688

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier, LTS versions 2.303.2 and earlier

Description The issue is related to the absence of an authorization procedure in the FilePath#reading(FileVisitor) component of the Jenkins automation server. This allows a remote attacker to have unrestricted read access to files using certain operations, such as creating archives or using the FilePath#copyRecursiveTo operation. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For Jenkins versions 2.318 and earlier, update to a version that includes the fix for this issue. For LTS versions 2.303.2 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the FilePath#reading(FileVisitor) component until a patch is available. Avoid using the FilePath#copyRecursiveTo operation in the affected API endpoint until the issue is resolved.