CVE-2021-21690
jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
Los procesos de los agentes son capaces de omitir completamente el filtrado de rutas de archivos al envolver la operaciĆ³n de archivo en una ruta de archivo de agente en Jenkins versiones 2.318 y anteriores, LTS versiones 2.303.2 y anteriores
A file path filtering bypass vulnerability was found in Jenkins. Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path. This may allow an attacker who controls the agent process to get read and write access to arbitrary files on the Jenkins controller file system.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-01-04 CVE Reserved
- 2021-11-04 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 | 2023-11-22 | |
| https://access.redhat.com/security/cve/CVE-2021-21690 | 2021-11-29 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2020336 | 2021-11-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | < 2.303.3 Search vendor "Jenkins" for product "Jenkins" and version " < 2.303.3" | lts |
Affected
| ||||||
| Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | < 2.319 Search vendor "Jenkins" for product "Jenkins" and version " < 2.319" | - |
Affected
| ||||||