Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1weGdxLWdxcjktNWd3eM4AAnOR
Path traversal vulnerability in Jenkins agent names
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml
files. If the global config.xml
file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.
Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.
In case of problems, this change can be reverted by setting the Java system property jenkins.model.Nodes.enforceNameRestrictions
to false
.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1weGdxLWdxcjktNWd3eM4AAnOR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-pxgq-gqr9-5gwx, CVE-2021-21605
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21605
- https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2021
- https://github.com/jenkinsci/jenkins/commit/b19b34db4b24b163d4edc53ccb84f41a3589cb08
- https://github.com/advisories/GHSA-pxgq-gqr9-5gwx
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.264, < 2.275, < 2.263.2Fixed in: 2.275, 2.263.2