CVE-2021-21602 - log back

CVE-2021-21602 edited at 13 Jan 2021 15:10:07
References
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452
+ https://github.com/jenkinsci/jenkins/commit/71d2ecf1a4e5303e80815eaa3935c4f2fa3d9104
CVE-2021-21602 edited at 13 Jan 2021 14:55:11
Remote
- Local
+ Remote
CVE-2021-21602 edited at 13 Jan 2021 14:51:00
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Arbitrary filesystem access
Description
+ A security issue was found in Jenkins before version 2.275. The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier. This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.
References
+ https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452
Notes
CVE-2021-21602 created at 13 Jan 2021 14:47:46