PT-2021-5581 · Jenkins · Jenkins

Daniel Beck

Published

2021-11-04

Updated

2024-03-06

CVE-2021-21692

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier Jenkins LTS versions 2.303.2 and earlier

Description The issue is related to a flaw in the authorization mechanism of the Jenkins automation server. This flaw allows a remote attacker to impact the confidentiality, integrity, and availability of protected information. The FilePath#renameTo and FilePath#moveAllChildrenTo functions in Jenkins only check for 'read' agent-to-controller access permission on the source path, instead of 'delete'.

Recommendations For Jenkins versions 2.318 and earlier, update to a version that includes the fix for this issue. For Jenkins LTS versions 2.303.2 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the FilePath#renameTo and FilePath#moveAllChildrenTo functions until a patch is available.

Fix

Path traversal

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-863

Related Identifiers

BDU:2022-00011

BIT-JENKINS-2021-21692

CVE-2021-21692

GHSA-8XG4-XQ2V-V6J7

RHSA-2021:4799

RHSA-2021:4801

RHSA-2021:4827

RHSA-2021:4829

RHSA-2021:4833

Affected Products

Jenkins

PT-2021-5581 · Jenkins · Jenkins

CVE-2021-21692

Weakness Enumeration

Related Identifiers

Affected Products

References · 13