CVE-2021-21690
CRITICAL9.0EPSS 0.50%Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Published: 5/24/2022Modified: 4/3/2025
Description
Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins LTS 2.303.2 and earlier.
Affected packages (2)
- Bitnami/jenkinsfrom 0, < 2.319.0
- Maven/org.jenkins-ci.main:jenkins-corefrom 0, < 2.303.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21690
- PATCHttps://github.com/jenkinsci/jenkins
- WEBhttps://github.com/jenkinsci/jenkins/commit/104c751d907919dd53f5090f84d53c671a66457b
- WEBhttps://github.com/jenkinsci/jenkins/commit/5a245e42979abe4a26d41727c839521e36cedd74
- WEBhttps://github.com/jenkinsci/jenkins/commit/63cde2daadc705edf086f2213b48c8c547f98358
- WEBhttps://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455