CVE-2021-21602 — Link Following in Project Jenkins

CWE-59 — Link Following CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition8 documents6 sources

Severity

6.5MEDIUMNVD

GHSA4.3OSV4.3

EPSS

1.4%

top 19.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Jenkins

Timeline

PublishedJan 13

Latest updateMay 24

Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDjenkins/jenkins2.263.1+1

▶CVEListV5jenkins_project/jenkinsunspecified — 2.274+1

🔴Vulnerability Details

GHSA

Arbitrary file read vulnerability in workspace browsers in Jenkins↗2022-05-24

▶

OSV

Arbitrary file read vulnerability in workspace browsers in Jenkins↗2022-05-24

▶

GHSA

Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins↗2022-05-24

▶

CVEList

CVE-2021-21602: Jenkins 2↗2021-01-13

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2021-01-26↗2021-01-26

▶

Jenkins

Jenkins Security Advisory 2021-01-13↗2021-01-13

▶

Red Hat

jenkins: Arbitrary file read vulnerability in workspace browsers↗2021-01-13

▶