Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12cGptLTU4Y3ctcjhxNc4AAnOi

Arbitrary file read vulnerability in workspace browsers in Jenkins

The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.

This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.

This issue is caused by an incomplete fix for SECURITY-904 / CVE-2018-1000862 in the 2018-12-08 security advisory.

Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.

This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.

Permalink: https://github.com/advisories/GHSA-vpjm-58cw-r8q5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cGptLTU4Y3ctcjhxNc4AAnOi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 7 months ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-vpjm-58cw-r8q5, CVE-2021-21602
References: Repository: https://github.com/jenkinsci/jenkins
Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.264, <= 2.274, <= 2.263.1
Fixed in: 2.275, 2.263.2