Description

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/04/3

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428

Related Vulnerabilities

CVE-2022-26336 Vulnerability in maven package org.apache.poi:poi-scratchpad

CVE-2023-26107 Vulnerability in npm package sketchsvg

CVE-2020-28268 Vulnerability in npm package controlled-merge

CVE-2019-19771 Vulnerability in npm package bitconid-rpc

CVE-2019-10367 Vulnerability in maven package io.jenkins:configuration-as-code

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Mailing List Third Party Advisory Patch Vendor Advisory NVD-CWE-Other