Description

FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.

Remediation

References

CVE-2021-21692

Related Vulnerabilities

WordPress Plugin WP-Live Chat by 3CX Security Bypass (8.0.32)

ProjectSend Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2017-20101)

Plone CMS Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-5508)

Apache HTTP Server Other Vulnerability (CVE-2004-1387)

PHP Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2012-2311)

Severity

Critical

Classification

CVE-2021-21692 CWE-863

Tags

Missing Update Known Vulnerabilities