GHSA-q58j-fhj7-j6fg

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Path traversal vulnerability in Jenkins Subversion Plugin allows reading arbitrary files

Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

Subversion Plugin 2.15.1 checks for the presence of and prohibits directory separator characters as part of the file name, restricting it to the intended directory.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:subversion

maven

Затронутые версииВерсия исправления

<= 2.15.0

2.15.1

EPSS

Процентиль: 84%

0.02078

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2021-21698

Дефекты

CWE-22

Связанные уязвимости

CVE-2021-21698

CVSS3: 7.5

redhat

больше 4 лет назад

Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.

CVE-2021-21698

CVSS3: 7.5

nvd

больше 4 лет назад

Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.

EPSS

Процентиль: 84%

0.02078

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2021-21698

Дефекты

CWE-22