Description

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/04/3

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428

Related Vulnerabilities

CVE-2018-11040 Vulnerability in maven package org.springframework:spring-webmvc

CVE-2020-27216 Vulnerability in maven package org.mortbay.jetty:jetty

CVE-2019-16777 Vulnerability in maven package org.webjars.bower:npm

CVE-2019-10243 Vulnerability in maven package org.eclipse.kura:target-platform

CVE-2021-37533 Vulnerability in maven package commons-net:commons-net

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Mailing List Third Party Advisory Patch Vendor Advisory NVD-CWE-Other