Описание
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.
An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link, which may allow an attacker to get read and write access to arbitrary files on the Jenkins controller file system.
Меры по смягчению последствий
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | jenkins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Fixed | RHSA-2021:4827 | 02.12.2021 |
| Red Hat OpenShift Container Platform 4.6 | jenkins | Fixed | RHSA-2021:4799 | 02.12.2021 |
| Red Hat OpenShift Container Platform 4.7 | jenkins | Fixed | RHSA-2021:4801 | 01.12.2021 |
| Red Hat OpenShift Container Platform 4.8 | jenkins | Fixed | RHSA-2021:4829 | 30.11.2021 |
| Red Hat OpenShift Container Platform 4.9 | jenkins | Fixed | RHSA-2021:4833 | 29.11.2021 |
Показывать по
Дополнительная информация
Статус:
9 Critical
CVSS3
Связанные уязвимости
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agen ...
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
9 Critical
CVSS3