CVE-2021-21615

CWE-367CWE-22Path Traversal6 documents6 sources
Severity
5.3MEDIUM
EPSS
0.4%
top 36.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins JenkinsJenkins Project Jenkins
Timeline
PublishedJan 26
Latest updateMay 24

Description

Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages3 packages

NVDjenkins/jenkins< 2.263.3+1
Mavenorg.jenkins-ci.main:jenkins-core2.2642.276+1
CVEListV5jenkins_project/jenkins2.275, LTS 2.263.2+1

🔴Vulnerability Details

3
OSV
Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins2022-05-24
GHSA
Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins2022-05-24
CVEList
CVE-2021-21615: Jenkins 22021-01-26

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2021-01-262021-01-26
Red Hat
jenkins: Filesystem traversal by privileged users2021-01-26
CVE-2021-21615 (MEDIUM CVSS 5.3) | Jenkins 2.275 and LTS 2.263.2 allow | cvebase.io