Описание
Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
A vulnerability was found in Jenkins which failed to correctly validate permissions. This flaw allowed any user to create symbolic links regardless if they had the symlink permission. It may allow an attacker to read and write to arbitrary files on the Jenkins controller file system.
Меры по смягчению последствий
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | jenkins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Fixed | RHSA-2021:4827 | 02.12.2021 |
| Red Hat OpenShift Container Platform 4.6 | jenkins | Fixed | RHSA-2021:4799 | 02.12.2021 |
| Red Hat OpenShift Container Platform 4.7 | jenkins | Fixed | RHSA-2021:4801 | 01.12.2021 |
| Red Hat OpenShift Container Platform 4.8 | jenkins | Fixed | RHSA-2021:4829 | 30.11.2021 |
| Red Hat OpenShift Container Platform 4.9 | jenkins | Fixed | RHSA-2021:4833 | 29.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
9 Critical
CVSS3
Связанные уязвимости
Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
Creating symbolic links is possible without the 'symlink' agent-to-con ...
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Уязвимость сервера автоматизации Jenkins, связанная с недостатками механизма авторизации, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
EPSS
9 Critical
CVSS3