Description

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process.

Remediation

References

CVE-2021-21696

Related Vulnerabilities

LimeSurvey Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-17003)

WordPress Plugin Duplicate Theme Unspecified Vulnerability (0.1.4)

Jboss EAP Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2018-1041)

WordPress Plugin MiwoFTP-File & Folder Manager Arbitrary File Disclosure (1.0.4)

WordPress Plugin Import any XML or CSV File to WordPress Arbitrary File Upload (3.2.3)

Severity

Critical

Classification

CVE-2021-21696 CWE-693

Tags

Missing Update Known Vulnerabilities