Описание
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.
An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#mkdirs does not check permission to create parent directories, which may allow an attacker who controls the agent process to get read and write arbitrary files on the Jenkins controller file system.
Меры по смягчению последствий
Red Hat has investigated whether a possible mitigation exists for this issue and has not been able to identify a practical example. Please update the affected package as soon as possible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | jenkins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Fixed | RHSA-2021:4827 | 02.12.2021 |
| Red Hat OpenShift Container Platform 4.6 | jenkins | Fixed | RHSA-2021:4799 | 02.12.2021 |
| Red Hat OpenShift Container Platform 4.7 | jenkins | Fixed | RHSA-2021:4801 | 01.12.2021 |
| Red Hat OpenShift Container Platform 4.8 | jenkins | Fixed | RHSA-2021:4829 | 30.11.2021 |
| Red Hat OpenShift Container Platform 4.9 | jenkins | Fixed | RHSA-2021:4833 | 29.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
9 Critical
CVSS3
Связанные уязвимости
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agen ...
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Уязвимость сервера автоматизации Jenkins, связанная с отсутствием процедуры авторизации, позволяющая нарушителю создать родительские каталоги в FilePath#mkdirs
EPSS
9 Critical
CVSS3