CVE-2021-21697

CWE-184CWE-22Path Traversal6 documents6 sources
Severity
9.1CRITICAL
EPSS
1.5%
top 19.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project JenkinsJenkins Jenkins
Timeline
PublishedNov 4
Latest updateMay 24

Description

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

Mavenorg.jenkins-ci.main:jenkins-core2.3042.319+1
NVDjenkins/jenkins2.303.2+1
CVEListV5jenkins_project/jenkinsunspecified2.318+1

Patches

Patch: www.jenkins.ioPatch: www.jenkins.io

🔴Vulnerability Details

3
GHSA
Agent-to-controller access control allows reading/writing most content of build directories in Jenkins2022-05-24
OSV
Agent-to-controller access control allows reading/writing most content of build directories in Jenkins2022-05-24
CVEList
CVE-2021-21697: Jenkins 22021-11-04

📋Vendor Advisories

2
Red Hat
jenkins: Agent-to-controller access control allows reading/writing most content of build directories2021-11-04
Jenkins
Jenkins Security Advisory 2021-11-042021-11-04
CVE-2021-21697 (CRITICAL CVSS 9.1) | Jenkins 2.318 and earlier | cvebase.io