CVE-2021-21682
published 2021-10-06CVE-2021-21682: Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the…
PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.97%
57.4th percentile
Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a trailing dot character, potentially replacing the configuration and data of other entities on Windows.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | git_plugin | — | — |
| jenkins | jenkins | <= 2.303.1 | — |
| jenkins | jenkins | <= 2.314 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins_project | jenkins | unspecified – 2.314 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper handling of equivalent directory names on Windows in Jenkins
osv·2022-05-24
CVE-2021-21682 [MEDIUM] Improper handling of equivalent directory names on Windows in Jenkins
Improper handling of equivalent directory names on Windows in Jenkins
Jenkins stores jobs and other entities on disk using their name shown on the UI as file and folder names.
On Windows, when specifying a file or folder with a trailing dot character (`example.`), the file or folder will be treated as if that character was not present (`example`). As both are legal names for jobs and other entities in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier, this could allow users with the appropriate permissions to change or replace configurations of jobs and other entities.
Jenkins 2.315, LTS 2.303.2 does not allow names of jobs and other entities to end with a dot character.
GHSA
Improper handling of equivalent directory names on Windows in Jenkins
ghsa·2022-05-24
CVE-2021-21682 [MEDIUM] CWE-42 Improper handling of equivalent directory names on Windows in Jenkins
Improper handling of equivalent directory names on Windows in Jenkins
Jenkins stores jobs and other entities on disk using their name shown on the UI as file and folder names.
On Windows, when specifying a file or folder with a trailing dot character (`example.`), the file or folder will be treated as if that character was not present (`example`). As both are legal names for jobs and other entities in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier, this could allow users with the appropriate permissions to change or replace configurations of jobs and other entities.
Jenkins 2.315, LTS 2.303.2 does not allow names of jobs and other entities to end with a dot character.
Jenkins
Jenkins Security Advisory 2021-10-06
vendor_jenkins·2021-10-06·CVSS 5.8
CVE-2014-3577 [MEDIUM] Jenkins Security Advisory 2021-10-06
Title: Jenkins Security Advisory 2021-10-06
Jenkins Security Advisory 2021-10-06
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Git
Plugin
Descriptions
Improper handling of equivalent directory names on Windows
SECURITY-2424
/
CVE-2021-21682
Severity (CVSS):
Medium
Description:
Jenkins
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-10-06
Published