CVE-2021-21689

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.318 and earlier Jenkins LTS versions 2.303.2 and earlier

Description The issue is related to the lack of access control for agent-to-controller in Jenkins, specifically affecting FilePath#unzip and FilePath#untar. This could allow a remote attacker to impact the confidentiality and integrity of protected information.

Recommendations For Jenkins versions 2.318 and earlier, consider disabling the FilePath#unzip and FilePath#untar functions until a patch is available. For Jenkins LTS versions 2.303.2 and earlier, restrict access to the vulnerable FilePath#unzip and FilePath#untar functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BDU:2022-00040

BIT-JENKINS-2021-21689

CVE-2021-21689

GHSA-J3CQ-H6VH-GX7F

RHSA-2021:4799

RHSA-2021:4801

RHSA-2021:4827

RHSA-2021:4829

RHSA-2021:4833

Affected Products

Jenkins

CVE-2021-21689

Weakness Enumeration

Related Identifiers

Affected Products

References · 14