Description

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/04/3

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428

Related Vulnerabilities

CVE-2023-33779 Vulnerability in maven package com.xuxueli:xxl-job

CVE-2023-36479 Vulnerability in maven package org.eclipse.jetty.ee8:jetty-ee8-servlets

CVE-2023-49620 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-api

CVE-2022-24613 Vulnerability in maven package com.drewnoakes:metadata-extractor

CVE-2020-2226 Vulnerability in maven package org.jenkins-ci.plugins:matrix-project

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Mailing List Third Party Advisory Patch Vendor Advisory NVD-CWE-Other