CVE-2021-21606 - log back

CVE-2021-21606 edited at 13 Jan 2021 15:12:28
References
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2023
+ https://github.com/jenkinsci/jenkins/commit/f576b2eb4375f2bb076ce477cee27a946b65f22a
CVE-2021-21606 edited at 13 Jan 2021 14:57:29
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system. This allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters. Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence.
References
+ https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2023
Notes
CVE-2021-21606 created at 13 Jan 2021 14:47:46