Description

Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Remediation

References

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Related Vulnerabilities

CVE-2018-1000404 Vulnerability in maven package com.amazonaws:aws-codebuild

CVE-2021-31407 Vulnerability in maven package com.vaadin:flow-server

CVE-2018-1000151 Vulnerability in maven package org.jenkins-ci.plugins:vsphere-cloud

CVE-2022-25210 Vulnerability in maven package com.convertigo.jenkins.plugins:convertigo-mobile-platform

CVE-2020-6831 Vulnerability in npm package electron

Severity

Critical

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory