CVE-2021-21683
published 2021-10-06CVE-2021-21683: The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
2.10%
79.4th percentile
The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | git_plugin | — | — |
| jenkins | jenkins | <= 2.303.1 | — |
| jenkins | jenkins | <= 2.314 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins_project | jenkins | unspecified – 2.314 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Path traversal vulnerability on Windows in Jenkins
osv·2022-05-24
CVE-2021-21683 [MEDIUM] Path traversal vulnerability on Windows in Jenkins
Path traversal vulnerability on Windows in Jenkins
The file browser for workspaces, archived artifacts, and `userContent/` in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows.
This results in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.\n\nThe file browser in Jenkins 2.315, LTS 2.303.2 refuses to serve files that would be considered absolute paths.
GHSA
Path traversal vulnerability on Windows in Jenkins
ghsa·2022-05-24
CVE-2021-21683 [MEDIUM] CWE-22 Path traversal vulnerability on Windows in Jenkins
Path traversal vulnerability on Windows in Jenkins
The file browser for workspaces, archived artifacts, and `userContent/` in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows.
This results in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.\n\nThe file browser in Jenkins 2.315, LTS 2.303.2 refuses to serve files that would be considered absolute paths.
Jenkins
Jenkins Security Advisory 2021-10-06
vendor_jenkins·2021-10-06·CVSS 5.8
CVE-2014-3577 [MEDIUM] Jenkins Security Advisory 2021-10-06
Title: Jenkins Security Advisory 2021-10-06
Jenkins Security Advisory 2021-10-06
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Git
Plugin
Descriptions
Improper handling of equivalent directory names on Windows
SECURITY-2424
/
CVE-2021-21682
Severity (CVSS):
Medium
Description:
Jenkins
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-10-06
Published