Описание
When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
An incorrect permissions validation vulnerability was found in Jenkins. The permissions to create temporary files are only checked after they have been created. This may allow an attacker to get access to restricted data.
Меры по смягчению последствий
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | jenkins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Fixed | RHSA-2021:4827 | 02.12.2021 |
| Red Hat OpenShift Container Platform 4.6 | jenkins | Fixed | RHSA-2021:4799 | 02.12.2021 |
| Red Hat OpenShift Container Platform 4.7 | jenkins | Fixed | RHSA-2021:4801 | 01.12.2021 |
| Red Hat OpenShift Container Platform 4.8 | jenkins | Fixed | RHSA-2021:4829 | 30.11.2021 |
| Red Hat OpenShift Container Platform 4.9 | jenkins | Fixed | RHSA-2021:4833 | 29.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
9 Critical
CVSS3
Связанные уязвимости
When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
When creating temporary files, agent-to-controller access to create th ...
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Уязвимость сервера автоматизации Jenkins, связанная с некорректной процедурой авторизации, позволяющая нарушителю создавать произвольные файлы
EPSS
9 Critical
CVSS3