Description

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/04/3

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428

Related Vulnerabilities

CVE-2019-14439 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2023-42795 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2020-13934 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2014-6071 Vulnerability in maven package org.webjars:jquery

CVE-2019-10761 Vulnerability in npm package vm2

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Mailing List Third Party Advisory Patch Vendor Advisory NVD-CWE-Other