CVE-2021-21602

Aliases:GHSA-vpjm-58cw-r8q5BIT-jenkins-2021-21602

Advisory lineage Upstream: 0 Downstream: 3

Downstream

RHSA-2021:0423 RHSA-2021:0429 RHSA-2021:0637

Modified

Published: 13 Jan 2021, 15:55

Last modified:03 Aug 2024, 18:16

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.5 MEDIUM

v3.1 (nvd)

EPSS Score

1.67% LOW

2% probability +0.28%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

13 Jan 2021, 15:55

Published

Vulnerability first disclosed

03 Aug 2024, 18:16

Last Modified

Vulnerability information updated

Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.

CVSS Metrics

v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 1.67%• Percentile: 82%

Techniques & Countermeasures

CWE-59•Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Systems

jenkins project•jenkins
≥ unspecified, ≤ 2.274 | ≥ unspecified, ≤ LTS 2.263.1
Unknown•Jenkins
≤ 2.263.1 | ≤ 2.274
org.jenkins-ci.main•jenkins-core
< 2.263.2 | ≥ 2.264, < 2.275