Description

Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Remediation

References

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Related Vulnerabilities

CVE-2021-41184 Vulnerability in maven package org.webjars.npm:jquery-ui

CVE-2023-34053 Vulnerability in maven package org.springframework:spring-web

CVE-2023-30515 Vulnerability in maven package io.jenkins.plugins:thycotic-devops-secrets-vault

CVE-2016-0781 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-login

CVE-2021-21687 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Critical

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory