Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-21696

Опубликовано: 04 нояб. 2021
Источник: redhat
CVSS3: 9
EPSS Низкий

Описание

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process.

An incorrect permissions validation vulnerability was found in Jenkins. An agent process read/write access to the libs/ directory inside build directories when using the FilePath APIs is not limited. This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process.

Меры по смягчению последствий

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Fuse 7jenkinsNot affected
Red Hat OpenShift Container Platform 3.11jenkinsFixedRHSA-2021:482702.12.2021
Red Hat OpenShift Container Platform 4.6jenkinsFixedRHSA-2021:479902.12.2021
Red Hat OpenShift Container Platform 4.7jenkinsFixedRHSA-2021:480101.12.2021
Red Hat OpenShift Container Platform 4.8jenkinsFixedRHSA-2021:482930.11.2021
Red Hat OpenShift Container Platform 4.9jenkinsFixedRHSA-2021:483329.11.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=2020344jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin

EPSS

Процентиль: 76%
0.00954
Низкий

9 Critical

CVSS3

Связанные уязвимости

nvd логотип

CVE-2021-21696

CVSS3: 9.8
nvd
больше 4 лет назад

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process.

debian логотип

CVE-2021-21696

CVSS3: 9.8
debian
больше 4 лет назад

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agen ...

github логотип

GHSA-c5r9-rx53-q3gf

CVSS3: 8.8
github
больше 3 лет назад

Agent-to-controller access control allowed writing to sensitive directory used by Jenkins Pipeline: Shared Groovy Libraries Plugin

fstec логотип

BDU:2021-05756

CVSS3: 9.8
fstec
больше 4 лет назад

Уязвимость реализации интерфейса FilePath API сервера автоматизации Jenkins, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 76%
0.00954
Низкий

9 Critical

CVSS3