Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1weGdxLWdxcjktNWd3eM4AAnOR

High EPSS: 0.00383% (0.58527 Percentile) EPSS:
Permalink JSON

Path traversal vulnerability in Jenkins agent names

Affected Packages Affected Versions Fixed Versions
maven:org.jenkins-ci.main:jenkins-core >= 2.264, < 2.275, < 2.263.2 2.275, 2.263.2

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.

Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.

In case of problems, this change can be reverted by setting the Java system property jenkins.model.Nodes.enforceNameRestrictions to false.

References:

Identifiers

GHSA-pxgq-gqr9-5gwx

CVE-2021-21605

Risk

Severity

High

EPSS

EPSS Percentage: 0.00383

EPSS Percentile: 0.58527

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jenkinsci/jenkins

Date and time

Published

about 3 years ago

Updated

over 1 year ago

API

JSON