Description

Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Remediation

References

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Related Vulnerabilities

CVE-2023-27902 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2016-8609 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2019-10246 Vulnerability in maven package org.eclipse.jetty:jetty-util

CVE-2012-3546 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2017-3589 Vulnerability in maven package mysql:mysql-connector-java

Severity

Critical

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory