CVE-2021-21693

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier Jenkins LTS versions 2.303.2 and earlier

Description The issue is related to an incorrect authorization procedure in Jenkins, allowing a remote attacker to create arbitrary files. When creating temporary files, agent-to-controller access to create those files is only checked after they've been created.

Recommendations For Jenkins versions 2.318 and earlier, update to a version that includes the fix for this issue. For Jenkins LTS versions 2.303.2 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the temporary file creation functionality until a patch is available.

Fix

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-285

Related Identifiers

BDU:2021-06265

BIT-JENKINS-2021-21693

CVE-2021-21693

GHSA-929W-Q433-4H9X

RHSA-2021:4799

RHSA-2021:4801

RHSA-2021:4827

RHSA-2021:4829

RHSA-2021:4833

Affected Products

Jenkins

CVE-2021-21693

Weakness Enumeration

Related Identifiers

Affected Products

References · 16