CVE-2021-21697
CRITICAL9.1EPSS 1.5%Agent-to-controller access control allows reading/writing most content of build directories in Jenkins
Published: 5/24/2022Modified: 4/3/2025
Description
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.
Affected packages (2)
- Bitnami/jenkinsfrom 0, < 2.318.1
- Maven/org.jenkins-ci.main:jenkins-corefrom 0, < 2.303.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21697
- PATCHhttps://github.com/jenkinsci/jenkins
- WEBhttps://github.com/jenkinsci/jenkins/commit/cf388d2a04e6016d23eb93fa3cc804f2554b98f0
- WEBhttps://github.com/jenkinsci/jenkins/commit/eae33841b587da787f37d5b6c8451d483edc04d9
- WEBhttps://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428
- WEBhttp://www.openwall.com/lists/oss-security/2021/11/04/3