---

CVE-2021-21696 - log back

CVE-2021-21696 edited at 04 Nov 2021 14:43:26

Description

- Jenkins before version 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the "Pipeline: Shared Groovy Libraries" Plugin to store copies of shared libraries. + Jenkins before version 2.319 does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the "Pipeline: Shared Groovy Libraries" Plugin to store copies of shared libraries. This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process. Jenkins 2.319 prohibits agent read/write access to the libs/ directory inside build directories.

CVE-2021-21696 edited at 04 Nov 2021 14:42:05
Severity	- Unknown + High
Remote	- Unknown + Remote
Type	- Unknown + Sandbox escape
Description	+ Jenkins before version 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the "Pipeline: Shared Groovy Libraries" Plugin to store copies of shared libraries. + + This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process. + + Jenkins 2.319 prohibits agent read/write access to the libs/ directory inside build directories.
References	+ https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423
Notes

CVE-2021-21696 created at 04 Nov 2021 14:30:58