Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-21697

Опубликовано: 04 нояб. 2021
Источник: redhat
CVSS3: 8.8
EPSS Низкий

Описание

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

An incorrect access restriction vulnerability was found in Jenkins. The directories agents are allowed to access include the directories where there are stored build-related information intended to allow agents to store build-related metadata during build execution. As a consequence, this allows an attacker who controls agent process to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).

Меры по смягчению последствий

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Fuse 7jenkinsNot affected
Red Hat OpenShift Container Platform 3.11jenkinsFixedRHSA-2021:482702.12.2021
Red Hat OpenShift Container Platform 4.6jenkinsFixedRHSA-2021:479902.12.2021
Red Hat OpenShift Container Platform 4.7jenkinsFixedRHSA-2021:480101.12.2021
Red Hat OpenShift Container Platform 4.8jenkinsFixedRHSA-2021:482930.11.2021
Red Hat OpenShift Container Platform 4.9jenkinsFixedRHSA-2021:483329.11.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=2020345jenkins: Agent-to-controller access control allows reading/writing most content of build directories

EPSS

Процентиль: 74%
0.00808
Низкий

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2021-21697

CVSS3: 9.1
nvd
больше 4 лет назад

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

debian логотип

CVE-2021-21697

CVSS3: 9.1
debian
больше 4 лет назад

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to ...

github логотип

GHSA-cv2w-q8c3-xjv7

CVSS3: 9.1
github
больше 3 лет назад

Agent-to-controller access control allows reading/writing most content of build directories in Jenkins

fstec логотип

BDU:2021-06109

CVSS3: 9.1
fstec
больше 4 лет назад

Уязвимость сервера автоматизации Jenkins, связанная с использованием неполного чёрного списка, позволяющая нарушителю читать и записывать содержимое любого каталога сборки

EPSS

Процентиль: 74%
0.00808
Низкий

8.8 High

CVSS3