CVE-2021-21690

Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Published: Nov 4, 2021
Updated: Oct 26, 2023
CVE: CVE-2021-21690
GHSA: GHSA-97c3-w9cr-6qc2
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-693
CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
jenkins / jenkins	-	2.303.3
jenkins / jenkins	-	2.319
org.jenkins-ci.main / jenkins-core	-	2.303.3
org.jenkins-ci.main / jenkins-core	2.304	2.319

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Vulnerability Database

289,599

CVE-2021-21690