Описание
FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#listFiles lists files outside directories with agent read access when following symbolic links. This may allow an attacker to get access to restricted data.
Меры по смягчению последствий
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | jenkins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Fixed | RHSA-2021:4827 | 02.12.2021 |
| Red Hat OpenShift Container Platform 4.6 | jenkins | Fixed | RHSA-2021:4799 | 02.12.2021 |
| Red Hat OpenShift Container Platform 4.7 | jenkins | Fixed | RHSA-2021:4801 | 01.12.2021 |
| Red Hat OpenShift Container Platform 4.8 | jenkins | Fixed | RHSA-2021:4829 | 30.11.2021 |
| Red Hat OpenShift Container Platform 4.9 | jenkins | Fixed | RHSA-2021:4833 | 29.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
9 Critical
CVSS3
Связанные уязвимости
FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
FilePath#listFiles lists files outside directories that agents are all ...
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Уязвимость компонента FilePath#listFiles сервера автоматизации Jenkins, связанная с отсутствием процедуры авторизации, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
EPSS
9 Critical
CVSS3