CVE-2021-21615 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Directory traversal
Description	Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2. This allows attackers with Job/Workspace permission and the ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM contents, to create symbolic links that allow them to access files outside workspaces using the workspace browser. Jenkins 2.276, LTS 2.263.3 no longer differentiates the check and the use of symlinks in workspace browsers. Note: This issue is caused by an incorrectly applied fix for CVE-2021-21602.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1491	jenkins	2.275-1	2.276-1	Medium	Fixed

References
https://www.jenkins.io/security/advisory/2021-01-26/#SECURITY-2197 https://issues.jenkins.io/browse/JENKINS-64632 https://github.com/jenkinsci/jenkins/pull/5188 https://github.com/jenkinsci/jenkins/commit/f2d289c00153d71ae5400b2986469b162d1dc6ce

References

https://www.jenkins.io/security/advisory/2021-01-26/#SECURITY-2197
https://issues.jenkins.io/browse/JENKINS-64632
https://github.com/jenkinsci/jenkins/pull/5188
https://github.com/jenkinsci/jenkins/commit/f2d289c00153d71ae5400b2986469b162d1dc6ce