Description

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/04/3

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428

Related Vulnerabilities

CVE-2023-46651 Vulnerability in maven package io.jenkins.plugins:warnings-ng

CVE-2022-25875 Vulnerability in npm package svelte

CVE-2023-26113 Vulnerability in npm package collection.js

CVE-2023-33246 Vulnerability in maven package org.apache.rocketmq:rocketmq-controller

CVE-2020-2140 Vulnerability in maven package org.jenkins-ci.plugins:audit-trail

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Mailing List Third Party Advisory Patch Vendor Advisory NVD-CWE-Other