PT-2021-5386 · Jenkins · Jenkins

Daniel Beck

Published

2021-11-04

Updated

2024-03-06

CVE-2021-21691

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier Jenkins LTS versions 2.303.2 and earlier

Description The issue is related to a flaw in the authorization mechanism of Jenkins, allowing the creation of symbolic links without the necessary 'symlink' agent-to-controller access control permission. This could potentially allow a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For Jenkins versions 2.318 and earlier, update to a version that includes the fix for this issue. For Jenkins LTS versions 2.303.2 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the symlink functionality until a patch is available.

Fix

Incorrect Authorization

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-59

Related Identifiers

BDU:2021-06223

BIT-JENKINS-2021-21691

CVE-2021-21691

GHSA-2C79-H2H5-G3FW

RHSA-2021:4799

RHSA-2021:4801

RHSA-2021:4827

RHSA-2021:4829

RHSA-2021:4833

Affected Products

Jenkins

PT-2021-5386 · Jenkins · Jenkins

CVE-2021-21691

Weakness Enumeration

Related Identifiers

Affected Products

References · 11