Description

FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Remediation

References

CVE-2021-21694

Related Vulnerabilities

WordPress Plugin wpStoreCart 'upload.php' Arbitrary File Upload (2.5.29)

WordPress Plugin Appointment Booking Calendar Cross-Site Scripting (1.3.34)

MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2012-5394)

WordPress Plugin Images to WebP Multiple Vulnerabilities (1.8)

WordPress Plugin OAuth Single Sign On-SSO (OAuth Client) Security Bypass (6.22.5)

Severity

Critical

Classification

CVE-2021-21694 CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities