AVG-2526 log

Package jenkins
Status Fixed
Severity Critical
Type multiple issues
Affected 2.318-1
Fixed 2.319-1
Current 2.371-1 [community]
Ticket None
Created Thu Nov 4 14:30:58 2021
Issue Severity Remote Type Description
CVE-2021-21697 High Yes Arbitrary filesystem access
Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins before 2.319...
CVE-2021-21696 High Yes Sandbox escape
Jenkins before version 2.319 does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This...
CVE-2021-21695 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#listFiles lists files outside directories with agent read access when following...
CVE-2021-21694 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and...
CVE-2021-21693 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. When creating temporary files, permission to create files is only checked after they’ve...
CVE-2021-21692 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission...
CVE-2021-21691 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. Creating symbolic links is possible without the symlink permission. This allows agent...
CVE-2021-21690 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. Agent processes are able to completely bypass file path filtering by wrapping the file...
CVE-2021-21689 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#unzip and FilePath#untar were not subject to any access control. This allows agent...
CVE-2021-21688 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#reading(FileVisitor) does not reject any operations, allowing users to have...
CVE-2021-21687 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#untar does not check permission to create symbolic links when unarchiving a...
CVE-2021-21686 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. File path filters do not canonicalize paths, allowing operations to follow symbolic links...
CVE-2021-21685 Critical Yes Arbitrary filesystem access
A security issue has been found in Jenkins before version 2.319. FilePath#mkdirs does not check permission to create parent directories. This allows agent...
Date Advisory Package Type
05 Nov 2021 ASA-202111-1 jenkins multiple issues