Action not permitted
Modal body text goes here.
CVE-2021-21692
Vulnerability from cvelistv5
▼ | Vendor | Product |
---|---|---|
Jenkins project | Jenkins |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:23:27.493Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Jenkins", "vendor": "Jenkins project", "versions": [ { "lessThanOrEqual": "2.318", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThanOrEqual": "LTS 2.303.2", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check \u0027read\u0027 agent-to-controller access permission on the source path, instead of \u0027delete\u0027." } ], "providerMetadata": { "dateUpdated": "2023-10-24T15:52:04.358Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21692", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Jenkins", "version": { "version_data": [ { "version_affected": "\u003c=", "version_value": "2.318" }, { "version_affected": "\u003c=", "version_value": "LTS 2.303.2" } ] } } ] }, "vendor_name": "Jenkins project" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check \u0027read\u0027 agent-to-controller access permission on the source path, instead of \u0027delete\u0027." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-863: Incorrect Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ] } } } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2021-21692", "datePublished": "2021-11-04T16:30:35", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:23:27.493Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-21692\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2021-11-04T17:15:08.660\",\"lastModified\":\"2023-11-22T21:23:00.877\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check \u0027read\u0027 agent-to-controller access permission on the source path, instead of \u0027delete\u0027.\"},{\"lang\":\"es\",\"value\":\"FilePath#renameTo y FilePath#moveAllChildrenTo en Jenkins versiones 2.318 y anteriores, LTS versiones 2.303.2 y anteriores ,s\u00f3lo comprueban el permiso de acceso de agente a controlador \\\"read\\\" en la ruta de origen, en lugar de \\\"delete\\\"\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":7.5},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\",\"versionEndExcluding\":\"2.303.3\",\"matchCriteriaId\":\"0B0C915B-C3A9-4BB9-B122-749CF43BB7DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*\",\"versionEndExcluding\":\"2.319\",\"matchCriteriaId\":\"3D231DBA-462F-4BC5-8F04-23109A7EF1F8\"}]}]}],\"references\":[{\"url\":\"https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
rhsa-2021_4799
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.51 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.51. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHBA-2021:4800\n\nSecurity Fix(es):\n\n* jenkins-2-plugins/subversion: does not restrict the name of a file when\nlooking up a subversion key (CVE-2021-21698)\n* jenkins: FilePath#mkdirs does not check permission to create parent\ndirectories (CVE-2021-21685)\n* jenkins: File path filters do not canonicalize paths, allowing operations\nto follow symbolic links to outside allowed directories (CVE-2021-21686)\n* jenkins: FilePath#untar does not check permission to create symbolic\nlinks when unarchiving a symbolic link (CVE-2021-21687)\n* jenkins: FilePath#reading(FileVisitor) does not reject any operations\nallowing users to have unrestricted read access (CVE-2021-21688)\n* jenkins: FilePath#unzip and FilePath#untar were not subject to any access\ncontrol (CVE-2021-21689)\n* jenkins: Agent processes are able to completely bypass file path\nfiltering by wrapping the file operation in an agent file path\n(CVE-2021-21690)\n* jenkins: Creating symbolic links is possible without the symlink\npermission (CVE-2021-21691)\n* jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo\nonly check read permission on the source path (CVE-2021-21692)\n* jenkins: When creating temporary files, permission to create files is\nonly checked after they\u2019ve been created. (CVE-2021-21693)\n* jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,\nFilePath#isDescendant, and FilePath#get*DiskSpace do not check any\npermissions (CVE-2021-21694)\n* jenkins: FilePath#listFiles lists files outside directories with agent\nread access when following symbolic links. (CVE-2021-21695)\n* jenkins: Agent-to-controller access control allowed writing to sensitive\ndirectory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)\n* jenkins: Agent-to-controller access control allows reading/writing most\ncontent of build directories (CVE-2021-21697)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:4799", "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2020322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020322" }, { "category": "external", "summary": "2020323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020323" }, { "category": "external", "summary": "2020324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020324" }, { "category": "external", "summary": "2020327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020327" }, { "category": "external", "summary": "2020335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020335" }, { "category": "external", "summary": "2020336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020336" }, { "category": "external", "summary": "2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338" }, { "category": "external", "summary": "2020339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020339" }, { "category": "external", "summary": "2020341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020341" }, { "category": "external", "summary": "2020342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020342" }, { "category": "external", "summary": "2020343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020343" }, { "category": "external", "summary": "2020344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020344" }, { "category": "external", "summary": "2020345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020345" }, { "category": "external", "summary": "2020385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020385" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4799.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.51 packages and security update", "tracking": { "current_release_date": "2024-11-06T00:12:06+00:00", "generator": { "date": "2024-11-06T00:12:06+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:4799", "initial_release_date": "2021-12-02T18:37:55+00:00", "revision_history": [ { "date": "2021-12-02T18:37:55+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-02T18:37:55+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:12:06+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "7Server-RH7-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el7" } } }, { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "product": { "name": "openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "product_id": "openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift@4.6.0-202111100230.p0.git.6063298.assembly.stream.el7?arch=src" } } }, { "category": "product_version", "name": "jenkins-0:2.303.3.1637597493-1.el8.src", "product": { "name": "jenkins-0:2.303.3.1637597493-1.el8.src", "product_id": "jenkins-0:2.303.3.1637597493-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.303.3.1637597493-1.el8?arch=src" } } }, { "category": "product_version", "name": "openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "product": { "name": "openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "product_id": "openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift@4.6.0-202111100230.p0.git.6063298.assembly.stream.el8?arch=src" } } }, { "category": "product_version", "name": "openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "product": { "name": "openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "product_id": "openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr@4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8?arch=src" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "product": { "name": "jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "product_id": "jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.6.1637602169-1.el8?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "product": { "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "product_id": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.6.0-202111100230.p0.git.6063298.assembly.stream.el7?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "product": { "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "product_id": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.6.0-202111100230.p0.git.6063298.assembly.stream.el8?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "jenkins-0:2.303.3.1637597493-1.el8.noarch", "product": { "name": "jenkins-0:2.303.3.1637597493-1.el8.noarch", "product_id": "jenkins-0:2.303.3.1637597493-1.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.303.3.1637597493-1.el8?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product": { "name": "openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product_id": "openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-cni@4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product": { "name": "openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product_id": "openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-common@4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product": { "name": "openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product_id": "openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-controller@4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product": { "name": "python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product_id": "python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-kuryr-kubernetes@4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "product": { "name": "jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "product_id": "jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.6.1637602169-1.el8?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "product": { "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "product_id": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.6.0-202111100230.p0.git.6063298.assembly.stream.el8?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "product": { "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "product_id": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.6.0-202111100230.p0.git.6063298.assembly.stream.el8?arch=s390x" } } } ], "category": "architecture", "name": "s390x" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src" }, "product_reference": "openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64" }, "product_reference": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.303.3.1637597493-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch" }, "product_reference": "jenkins-0:2.303.3.1637597493-1.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.303.3.1637597493-1.el8.src as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" }, "product_reference": "jenkins-0:2.303.3.1637597493-1.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch" }, "product_reference": "jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.6.1637602169-1.el8.src as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src" }, "product_reference": "jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src" }, "product_reference": "openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le" }, "product_reference": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x" }, "product_reference": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64" }, "product_reference": "openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src" }, "product_reference": "openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" }, "product_reference": "openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" }, "product_reference": "openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" }, "product_reference": "openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" }, "product_reference": "python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-21685", "cwe": { "id": "CWE-281", "name": "Improper Preservation of Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020322" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#mkdirs does not check permission to create parent directories, which may allow an attacker who controls the agent process to get read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#mkdirs does not check permission to create parent directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21685" }, { "category": "external", "summary": "RHBZ#2020322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020322" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21685", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21685" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#mkdirs does not check permission to create parent directories" }, { "cve": "CVE-2021-21686", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020323" } ], "notes": [ { "category": "description", "text": "A link following vulnerability was found in Jenkins. The file path filters do not canonicalize paths allowing operations to follow symbolic links to directories they are not supposed to have access to. This may allow an attacker to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21686" }, { "category": "external", "summary": "RHBZ#2020323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020323" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21686", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21686" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories" }, { "cve": "CVE-2021-21687", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020324" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link, which may allow an attacker to get read and write access to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21687" }, { "category": "external", "summary": "RHBZ#2020324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020324" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21687", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21687" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21687", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21687" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link" }, { "cve": "CVE-2021-21688", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020327" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in Jenkins. The FilePath#reading(FileVisitor) does not reject any operations giving users unrestricted read access with certain operations (creating archives, #copyRecursiveTo). This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21688" }, { "category": "external", "summary": "RHBZ#2020327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020327" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21688", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21688" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21688", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21688" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access" }, { "cve": "CVE-2021-21689", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020335" } ], "notes": [ { "category": "description", "text": "An incorrect access control vulnerability was found in Jenkins. The FilePath#unzip and FilePath#untar were not subjected to any access control. An attacker with access to FilePath#unzip or FilePath#untar operations is able to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#unzip and FilePath#untar were not subject to any access control", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21689" }, { "category": "external", "summary": "RHBZ#2020335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020335" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21689", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21689" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21689", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21689" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#unzip and FilePath#untar were not subject to any access control" }, { "cve": "CVE-2021-21690", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020336" } ], "notes": [ { "category": "description", "text": "A file path filtering bypass vulnerability was found in Jenkins. Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path. This may allow an attacker who controls the agent process to get read and write access to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21690" }, { "category": "external", "summary": "RHBZ#2020336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020336" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21690", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21690" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21690", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21690" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path" }, { "cve": "CVE-2021-21691", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020338" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jenkins which failed to correctly validate permissions. This flaw allowed any user to create symbolic links regardless if they had the symlink permission. It may allow an attacker to read and write to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Creating symbolic links is possible without the symlink permission", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21691" }, { "category": "external", "summary": "RHBZ#2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21691", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21691" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21691", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21691" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Creating symbolic links is possible without the symlink permission" }, { "cve": "CVE-2021-21692", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020339" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path which may allow an attacker who has access to these operations to be able to read and write to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21692" }, { "category": "external", "summary": "RHBZ#2020339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020339" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21692", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21692" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path" }, { "cve": "CVE-2021-21693", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020341" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The permissions to create temporary files are only checked after they have been created. This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created.", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21693" }, { "category": "external", "summary": "RHBZ#2020341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020341" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21693", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21693" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created." }, { "cve": "CVE-2021-21694", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020342" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions, which may allow an attacker who has access to any of these operations to be able to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21694" }, { "category": "external", "summary": "RHBZ#2020342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020342" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21694", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21694" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21694", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21694" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions" }, { "cve": "CVE-2021-21695", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020343" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#listFiles lists files outside directories with agent read access when following symbolic links. This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21695" }, { "category": "external", "summary": "RHBZ#2020343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020343" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21695", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21695" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21695", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21695" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links." }, { "cve": "CVE-2021-21696", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020344" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. An agent process read/write access to the libs/ directory inside build directories when using the FilePath APIs is not limited. This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21696" }, { "category": "external", "summary": "RHBZ#2020344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020344" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21696", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21696" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21696", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21696" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin" }, { "cve": "CVE-2021-21697", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020345" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in Jenkins. The directories agents are allowed to access include the directories where there are stored build-related information intended to allow agents to store build-related metadata during build execution. As a consequence, this allows an attacker who controls agent process to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent-to-controller access control allows reading/writing most content of build directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21697" }, { "category": "external", "summary": "RHBZ#2020345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020345" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21697", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21697" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent-to-controller access control allows reading/writing most content of build directories" }, { "cve": "CVE-2021-21698", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020385" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in the Subversion Plugin for Jenkins. An agent\u0027s ability to learn the name of a file is not restricted when looking up a subversion key file on the controller. This may allow attackers to control agent processes and read arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-0:2.303.3.1637597493-1.el8.src", "8Base-RHOSE-4.6:openshift-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x", "8Base-RHOSE-4.6:openshift-hyperkube-0:4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64", "8Base-RHOSE-4.6:openshift-kuryr-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src", "8Base-RHOSE-4.6:openshift-kuryr-cni-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-common-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:openshift-kuryr-controller-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch", "8Base-RHOSE-4.6:python3-kuryr-kubernetes-0:4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21698" }, { "category": "external", "summary": "RHBZ#2020385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020385" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21698", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21698" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21698", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21698" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2506", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2506" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T18:37:55+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4799" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.noarch", "8Base-RHOSE-4.6:jenkins-2-plugins-0:4.6.1637602169-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key" } ] }
rhsa-2021_4829
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.22 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.22. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHBA-2021:4830\n\nAll OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor\n\nSecurity Fix(es):\n\n* jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n* jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n* jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)\n* jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n* jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n* coreos-installer: restrict access permissions on /boot/ignition{,/config.ign} (CVE-2021-3917)\n* jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n* jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)\n* jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n* jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n* jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created. (CVE-2021-21693)\n* jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n* jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n* jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)\n* jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:4829", "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2018478", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2018478" }, { "category": "external", "summary": "2020322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020322" }, { "category": "external", "summary": "2020323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020323" }, { "category": "external", "summary": "2020324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020324" }, { "category": "external", "summary": "2020327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020327" }, { "category": "external", "summary": "2020335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020335" }, { "category": "external", "summary": "2020336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020336" }, { "category": "external", "summary": "2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338" }, { "category": "external", "summary": "2020339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020339" }, { "category": "external", "summary": "2020341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020341" }, { "category": "external", "summary": "2020342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020342" }, { "category": "external", "summary": "2020343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020343" }, { "category": "external", "summary": "2020344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020344" }, { "category": "external", "summary": "2020345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020345" }, { "category": "external", "summary": "2020385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020385" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4829.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.22 security update", "tracking": { "current_release_date": "2024-11-06T00:12:09+00:00", "generator": { "date": "2024-11-06T00:12:09+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:4829", "initial_release_date": "2021-11-30T09:11:27+00:00", "revision_history": [ { "date": "2021-11-30T09:11:27+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-11-30T09:11:27+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:12:09+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } }, { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "7Server-RH7-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el7" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "product": { "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "product_id": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer@0.9.0-8.rhaos4.8.el8?arch=src" } } }, { "category": "product_version", "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "product": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "product_id": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.21.4-3.rhaos4.8.git84fa55d.el8?arch=src" } } }, { "category": "product_version", "name": "jenkins-0:2.303.3.1637596565-1.el8.src", "product": { "name": "jenkins-0:2.303.3.1637596565-1.el8.src", "product_id": "jenkins-0:2.303.3.1637596565-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.303.3.1637596565-1.el8?arch=src" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "product": { "name": "jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "product_id": "jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.8.1637599935-1.el8?arch=src" } } }, { "category": "product_version", "name": "openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "product": { "name": "openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "product_id": "openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift@4.8.0-202111221934.p0.g81bc627.assembly.stream.el8?arch=src" } } }, { "category": "product_version", "name": "openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "product": { "name": "openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "product_id": "openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr@4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8?arch=src" } } }, { "category": "product_version", "name": "python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "product": { "name": "python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "product_id": "python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/python-sushy@3.7.4-0.20211119091058.2cc60dc.el8?arch=src" } } }, { "category": "product_version", "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "product": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "product_id": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.21.4-3.rhaos4.8.git84fa55d.el7?arch=src" } } }, { "category": "product_version", "name": "openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "product": { "name": "openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "product_id": "openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift@4.8.0-202111221934.p0.g81bc627.assembly.stream.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "product": { "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "product_id": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer@0.9.0-8.rhaos4.8.el8?arch=x86_64" } } }, { "category": "product_version", "name": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "product": { "name": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "product_id": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-debugsource@0.9.0-8.rhaos4.8.el8?arch=x86_64" } } }, { "category": "product_version", "name": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "product": { "name": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "product_id": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-bootinfra-debuginfo@0.9.0-8.rhaos4.8.el8?arch=x86_64" } } }, { "category": "product_version", "name": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "product": { "name": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "product_id": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-debuginfo@0.9.0-8.rhaos4.8.el8?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "product": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "product_id": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.21.4-3.rhaos4.8.git84fa55d.el8?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "product": { "name": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "product_id": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.21.4-3.rhaos4.8.git84fa55d.el8?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "product": { "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "product_id": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.21.4-3.rhaos4.8.git84fa55d.el8?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "product": { "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "product_id": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.8.0-202111221934.p0.g81bc627.assembly.stream.el8?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "product": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "product_id": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.21.4-3.rhaos4.8.git84fa55d.el7?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "product": { "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "product_id": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.21.4-3.rhaos4.8.git84fa55d.el7?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "product": { "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "product_id": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.8.0-202111221934.p0.g81bc627.assembly.stream.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product": { "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product_id": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer@0.9.0-8.rhaos4.8.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product": { "name": "coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product_id": "coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-bootinfra@0.9.0-8.rhaos4.8.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product": { "name": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product_id": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-debugsource@0.9.0-8.rhaos4.8.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product": { "name": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product_id": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-bootinfra-debuginfo@0.9.0-8.rhaos4.8.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product": { "name": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product_id": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-debuginfo@0.9.0-8.rhaos4.8.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "product": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "product_id": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.21.4-3.rhaos4.8.git84fa55d.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "product": { "name": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "product_id": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.21.4-3.rhaos4.8.git84fa55d.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "product": { "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "product_id": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.21.4-3.rhaos4.8.git84fa55d.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "product": { "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "product_id": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.8.0-202111221934.p0.g81bc627.assembly.stream.el8?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "product": { "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "product_id": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer@0.9.0-8.rhaos4.8.el8?arch=s390x" } } }, { "category": "product_version", "name": "coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "product": { "name": "coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "product_id": "coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-bootinfra@0.9.0-8.rhaos4.8.el8?arch=s390x" } } }, { "category": "product_version", "name": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "product": { "name": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "product_id": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-debugsource@0.9.0-8.rhaos4.8.el8?arch=s390x" } } }, { "category": "product_version", "name": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "product": { "name": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "product_id": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-bootinfra-debuginfo@0.9.0-8.rhaos4.8.el8?arch=s390x" } } }, { "category": "product_version", "name": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "product": { "name": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "product_id": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/coreos-installer-debuginfo@0.9.0-8.rhaos4.8.el8?arch=s390x" } } }, { "category": "product_version", "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "product": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "product_id": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.21.4-3.rhaos4.8.git84fa55d.el8?arch=s390x" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "product": { "name": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "product_id": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.21.4-3.rhaos4.8.git84fa55d.el8?arch=s390x" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "product": { "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "product_id": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.21.4-3.rhaos4.8.git84fa55d.el8?arch=s390x" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "product": { "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "product_id": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.8.0-202111221934.p0.g81bc627.assembly.stream.el8?arch=s390x" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "jenkins-0:2.303.3.1637596565-1.el8.noarch", "product": { "name": "jenkins-0:2.303.3.1637596565-1.el8.noarch", "product_id": "jenkins-0:2.303.3.1637596565-1.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.303.3.1637596565-1.el8?arch=noarch" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "product": { "name": "jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "product_id": "jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.8.1637599935-1.el8?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product": { "name": "openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product_id": "openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-cni@4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product": { "name": "openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product_id": "openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-common@4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product": { "name": "openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product_id": "openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-controller@4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product": { "name": "python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product_id": "python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-kuryr-kubernetes@4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "product": { "name": "python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "product_id": "python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-sushy@3.7.4-0.20211119091058.2cc60dc.el8?arch=noarch" } } }, { "category": "product_version", "name": "python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "product": { "name": "python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "product_id": "python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-sushy-tests@3.7.4-0.20211119091058.2cc60dc.el8?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src" }, "product_reference": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64" }, "product_reference": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64" }, "product_reference": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src" }, "product_reference": "openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64" }, "product_reference": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le" }, "product_reference": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x" }, "product_reference": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.src as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src" }, "product_reference": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64" }, "product_reference": "coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le" }, "product_reference": "coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x" }, "product_reference": "coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le" }, "product_reference": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x" }, "product_reference": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64" }, "product_reference": "coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le" }, "product_reference": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x" }, "product_reference": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64" }, "product_reference": "coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le" }, "product_reference": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x" }, "product_reference": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64" }, "product_reference": "coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le" }, "product_reference": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x" }, "product_reference": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src" }, "product_reference": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64" }, "product_reference": "cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le" }, "product_reference": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x" }, "product_reference": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64" }, "product_reference": "cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le" }, "product_reference": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x" }, "product_reference": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64" }, "product_reference": "cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.303.3.1637596565-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch" }, "product_reference": "jenkins-0:2.303.3.1637596565-1.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.303.3.1637596565-1.el8.src as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" }, "product_reference": "jenkins-0:2.303.3.1637596565-1.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch" }, "product_reference": "jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.8.1637599935-1.el8.src as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src" }, "product_reference": "jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src" }, "product_reference": "openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le" }, "product_reference": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x" }, "product_reference": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64" }, "product_reference": "openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src" }, "product_reference": "openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch" }, "product_reference": "openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch" }, "product_reference": "openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch" }, "product_reference": "openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src" }, "product_reference": "python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch" }, "product_reference": "python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" }, "product_reference": "python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" }, "product_reference": "python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3917", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-10-29T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2018478" } ], "notes": [ { "category": "description", "text": "A flaw was found in the coreos-installer, where it writes the Ignition config to the target system with world-readable access permissions. This flaw allows a local attacker to have read access to potentially sensitive data. The highest threat from this vulnerability is to confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "coreos-installer: restrict access permissions on /boot/ignition{,/config.ign}", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3917" }, { "category": "external", "summary": "RHBZ#2018478", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2018478" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3917", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3917" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3917", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3917" }, { "category": "external", "summary": "https://github.com/coreos/coreos-installer/commit/2a36405339c87b16ed6c76e91ad5b76638fbdb0c", "url": "https://github.com/coreos/coreos-installer/commit/2a36405339c87b16ed6c76e91ad5b76638fbdb0c" } ], "release_date": "2021-07-07T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "coreos-installer: restrict access permissions on /boot/ignition{,/config.ign}" }, { "cve": "CVE-2021-21685", "cwe": { "id": "CWE-281", "name": "Improper Preservation of Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020322" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#mkdirs does not check permission to create parent directories, which may allow an attacker who controls the agent process to get read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#mkdirs does not check permission to create parent directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21685" }, { "category": "external", "summary": "RHBZ#2020322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020322" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21685", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21685" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#mkdirs does not check permission to create parent directories" }, { "cve": "CVE-2021-21686", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020323" } ], "notes": [ { "category": "description", "text": "A link following vulnerability was found in Jenkins. The file path filters do not canonicalize paths allowing operations to follow symbolic links to directories they are not supposed to have access to. This may allow an attacker to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21686" }, { "category": "external", "summary": "RHBZ#2020323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020323" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21686", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21686" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories" }, { "cve": "CVE-2021-21687", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020324" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link, which may allow an attacker to get read and write access to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21687" }, { "category": "external", "summary": "RHBZ#2020324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020324" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21687", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21687" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21687", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21687" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link" }, { "cve": "CVE-2021-21688", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020327" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in Jenkins. The FilePath#reading(FileVisitor) does not reject any operations giving users unrestricted read access with certain operations (creating archives, #copyRecursiveTo). This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21688" }, { "category": "external", "summary": "RHBZ#2020327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020327" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21688", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21688" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21688", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21688" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access" }, { "cve": "CVE-2021-21689", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020335" } ], "notes": [ { "category": "description", "text": "An incorrect access control vulnerability was found in Jenkins. The FilePath#unzip and FilePath#untar were not subjected to any access control. An attacker with access to FilePath#unzip or FilePath#untar operations is able to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#unzip and FilePath#untar were not subject to any access control", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21689" }, { "category": "external", "summary": "RHBZ#2020335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020335" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21689", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21689" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21689", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21689" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#unzip and FilePath#untar were not subject to any access control" }, { "cve": "CVE-2021-21690", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020336" } ], "notes": [ { "category": "description", "text": "A file path filtering bypass vulnerability was found in Jenkins. Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path. This may allow an attacker who controls the agent process to get read and write access to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21690" }, { "category": "external", "summary": "RHBZ#2020336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020336" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21690", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21690" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21690", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21690" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path" }, { "cve": "CVE-2021-21691", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020338" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jenkins which failed to correctly validate permissions. This flaw allowed any user to create symbolic links regardless if they had the symlink permission. It may allow an attacker to read and write to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Creating symbolic links is possible without the symlink permission", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21691" }, { "category": "external", "summary": "RHBZ#2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21691", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21691" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21691", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21691" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Creating symbolic links is possible without the symlink permission" }, { "cve": "CVE-2021-21692", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020339" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path which may allow an attacker who has access to these operations to be able to read and write to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21692" }, { "category": "external", "summary": "RHBZ#2020339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020339" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21692", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21692" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path" }, { "cve": "CVE-2021-21693", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020341" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The permissions to create temporary files are only checked after they have been created. This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created.", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21693" }, { "category": "external", "summary": "RHBZ#2020341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020341" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21693", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21693" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created." }, { "cve": "CVE-2021-21694", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020342" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions, which may allow an attacker who has access to any of these operations to be able to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21694" }, { "category": "external", "summary": "RHBZ#2020342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020342" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21694", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21694" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21694", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21694" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions" }, { "cve": "CVE-2021-21695", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020343" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#listFiles lists files outside directories with agent read access when following symbolic links. This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21695" }, { "category": "external", "summary": "RHBZ#2020343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020343" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21695", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21695" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21695", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21695" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links." }, { "cve": "CVE-2021-21696", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020344" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. An agent process read/write access to the libs/ directory inside build directories when using the FilePath APIs is not limited. This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21696" }, { "category": "external", "summary": "RHBZ#2020344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020344" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21696", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21696" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21696", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21696" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin" }, { "cve": "CVE-2021-21697", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020345" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in Jenkins. The directories agents are allowed to access include the directories where there are stored build-related information intended to allow agents to store build-related metadata during build execution. As a consequence, this allows an attacker who controls agent process to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent-to-controller access control allows reading/writing most content of build directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21697" }, { "category": "external", "summary": "RHBZ#2020345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020345" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21697", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21697" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent-to-controller access control allows reading/writing most content of build directories" }, { "cve": "CVE-2021-21698", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020385" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in the Subversion Plugin for Jenkins. An agent\u0027s ability to learn the name of a file is not restricted when looking up a subversion key file on the controller. This may allow attackers to control agent processes and read arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.src", "7Server-RH7-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64", "7Server-RH7-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.src", "8Base-RHOSE-4.8:coreos-installer-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-bootinfra-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debuginfo-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.ppc64le", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.s390x", "8Base-RHOSE-4.8:coreos-installer-debugsource-0:0.9.0-8.rhaos4.8.el8.x86_64", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.src", "8Base-RHOSE-4.8:cri-o-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debuginfo-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.s390x", "8Base-RHOSE-4.8:cri-o-debugsource-0:1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-0:2.303.3.1637596565-1.el8.src", "8Base-RHOSE-4.8:openshift-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.s390x", "8Base-RHOSE-4.8:openshift-hyperkube-0:4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64", "8Base-RHOSE-4.8:openshift-kuryr-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src", "8Base-RHOSE-4.8:openshift-kuryr-cni-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-common-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:openshift-kuryr-controller-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.src", "8Base-RHOSE-4.8:python3-kuryr-kubernetes-0:4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch", "8Base-RHOSE-4.8:python3-sushy-tests-0:3.7.4-0.20211119091058.2cc60dc.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21698" }, { "category": "external", "summary": "RHBZ#2020385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020385" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21698", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21698" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21698", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21698" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2506", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2506" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-30T09:11:27+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4829" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.noarch", "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1637599935-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key" } ] }
rhsa-2021_4827
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 3.11.569 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n* jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n* jenkins: File path filters do not canonicalize paths, allowing operations\nto follow symbolic links to outside allowed directories (CVE-2021-21686)\n* jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n* jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n* jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n* jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path\n(CVE-2021-21690)\n* jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n* jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n* jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created. (CVE-2021-21693)\n* jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any\npermissions (CVE-2021-21694)\n* jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n* jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)\n* jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:4827", "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1920894", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1920894" }, { "category": "external", "summary": "2002671", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2002671" }, { "category": "external", "summary": "2002909", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2002909" }, { "category": "external", "summary": "2003491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2003491" }, { "category": "external", "summary": "2013496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013496" }, { "category": "external", "summary": "2016467", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2016467" }, { "category": "external", "summary": "2020322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020322" }, { "category": "external", "summary": "2020323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020323" }, { "category": "external", "summary": "2020324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020324" }, { "category": "external", "summary": "2020327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020327" }, { "category": "external", "summary": "2020335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020335" }, { "category": "external", "summary": "2020336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020336" }, { "category": "external", "summary": "2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338" }, { "category": "external", "summary": "2020339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020339" }, { "category": "external", "summary": "2020341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020341" }, { "category": "external", "summary": "2020342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020342" }, { "category": "external", "summary": "2020343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020343" }, { "category": "external", "summary": "2020344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020344" }, { "category": "external", "summary": "2020345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020345" }, { "category": "external", "summary": "2020385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020385" }, { "category": "external", "summary": "2026193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2026193" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4827.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 3.11.569 security update", "tracking": { "current_release_date": "2024-11-06T00:12:18+00:00", "generator": { "date": "2024-11-06T00:12:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:4827", "initial_release_date": "2021-12-02T22:04:06+00:00", "revision_history": [ { "date": "2021-12-02T22:04:06+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-02T22:04:06+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:12:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 3.11", "product": { "name": "Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:3.11::el7" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "jenkins-0:2.303.3.1637698110-1.el7.src", "product": { "name": "jenkins-0:2.303.3.1637698110-1.el7.src", "product_id": "jenkins-0:2.303.3.1637698110-1.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.303.3.1637698110-1.el7?arch=src" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "product": { "name": "jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "product_id": "jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@3.11.1637699107-1.el7?arch=src" } } }, { "category": "product_version", "name": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "product": { "name": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "product_id": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-enterprise-service-catalog@3.11.569-1.g2e6be86.el7?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "product": { "name": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "product_id": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift@3.11.569-1.git.0.9dc951a.el7?arch=src" } } }, { "category": "product_version", "name": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "product": { "name": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "product_id": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-cluster-autoscaler@3.11.569-1.g99b2acf.el7?arch=src" } } }, { "category": "product_version", "name": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "product": { "name": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "product_id": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-descheduler@3.11.569-1.gd435537.el7?arch=src" } } }, { "category": "product_version", "name": "atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "product": { "name": "atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "product_id": "atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-dockerregistry@3.11.569-1.g3571208.el7?arch=src" } } }, { "category": "product_version", "name": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "product": { "name": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "product_id": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-metrics-server@3.11.569-1.gf8bf728.el7?arch=src" } } }, { "category": "product_version", "name": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "product": { "name": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "product_id": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-node-problem-detector@3.11.569-1.gc8f26da.el7?arch=src" } } }, { "category": "product_version", "name": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "product": { "name": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "product_id": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-service-idler@3.11.569-1.g39cfc66.el7?arch=src" } } }, { "category": "product_version", "name": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "product": { "name": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "product_id": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-web-console@3.11.569-1.g3e485e6.el7?arch=src" } } }, { "category": "product_version", "name": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "product": { "name": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "product_id": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/golang-github-openshift-oauth-proxy@3.11.569-1.gedebe84.el7?arch=src" } } }, { "category": "product_version", "name": "golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "product": { "name": "golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "product_id": "golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/golang-github-prometheus-alertmanager@3.11.569-1.g13de638.el7?arch=src" } } }, { "category": "product_version", "name": "golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "product": { "name": "golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "product_id": "golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/golang-github-prometheus-node_exporter@3.11.569-1.g609cd20.el7?arch=src" } } }, { "category": "product_version", "name": "golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "product": { "name": "golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "product_id": "golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/golang-github-prometheus-prometheus@3.11.569-1.g99aae51.el7?arch=src" } } }, { "category": "product_version", "name": "openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "product": { "name": "openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "product_id": "openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-ansible@3.11.569-1.git.0.9620ba1.el7?arch=src" } } }, { "category": "product_version", "name": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "product": { "name": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "product_id": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-enterprise-autoheal@3.11.569-1.gf2f435d.el7?arch=src" } } }, { "category": "product_version", "name": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "product": { "name": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "product_id": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-enterprise-cluster-capacity@3.11.569-1.g22be164.el7?arch=src" } } }, { "category": "product_version", "name": "openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "product": { "name": "openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "product_id": "openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr@3.11.569-1.g0c4bf66.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jenkins-0:2.303.3.1637698110-1.el7.noarch", "product": { "name": "jenkins-0:2.303.3.1637698110-1.el7.noarch", "product_id": "jenkins-0:2.303.3.1637698110-1.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.303.3.1637698110-1.el7?arch=noarch" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "product": { "name": "jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "product_id": "jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@3.11.1637699107-1.el7?arch=noarch" } } }, { "category": "product_version", "name": "atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "product": { "name": "atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "product_id": "atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-docker-excluder@3.11.569-1.git.0.9dc951a.el7?arch=noarch" } } }, { "category": "product_version", "name": "atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "product": { "name": "atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "product_id": "atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-excluder@3.11.569-1.git.0.9dc951a.el7?arch=noarch" } } }, { "category": "product_version", "name": "openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product": { "name": "openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product_id": "openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-ansible@3.11.569-1.git.0.9620ba1.el7?arch=noarch" } } }, { "category": "product_version", "name": "openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product": { "name": "openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product_id": "openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-ansible-docs@3.11.569-1.git.0.9620ba1.el7?arch=noarch" } } }, { "category": "product_version", "name": "openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product": { "name": "openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product_id": "openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-ansible-playbooks@3.11.569-1.git.0.9620ba1.el7?arch=noarch" } } }, { "category": "product_version", "name": "openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product": { "name": "openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product_id": "openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-ansible-roles@3.11.569-1.git.0.9620ba1.el7?arch=noarch" } } }, { "category": "product_version", "name": "openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product": { "name": "openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product_id": "openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-ansible-test@3.11.569-1.git.0.9620ba1.el7?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "product": { "name": "openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "product_id": "openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-cni@3.11.569-1.g0c4bf66.el7?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "product": { "name": "openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "product_id": "openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-common@3.11.569-1.g0c4bf66.el7?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "product": { "name": "openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "product_id": "openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-controller@3.11.569-1.g0c4bf66.el7?arch=noarch" } } }, { "category": "product_version", "name": "python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch", "product": { "name": "python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch", "product_id": "python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python2-kuryr-kubernetes@3.11.569-1.g0c4bf66.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "product": { "name": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "product_id": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-enterprise-service-catalog@3.11.569-1.g2e6be86.el7?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "product": { "name": "atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "product_id": "atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-enterprise-service-catalog-svcat@3.11.569-1.g2e6be86.el7?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-clients@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-clients-redistributable@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-hyperkube@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-hypershift@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-master@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-node@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-pod@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-sdn-ovs@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-template-service-broker@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product": { "name": "atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_id": "atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-tests@3.11.569-1.git.0.9dc951a.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "product": { "name": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "product_id": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-cluster-autoscaler@3.11.569-1.g99b2acf.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "product": { "name": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "product_id": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-descheduler@3.11.569-1.gd435537.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "product": { "name": "atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "product_id": "atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-dockerregistry@3.11.569-1.g3571208.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "product": { "name": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "product_id": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-metrics-server@3.11.569-1.gf8bf728.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "product": { "name": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "product_id": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-node-problem-detector@3.11.569-1.gc8f26da.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "product": { "name": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "product_id": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-service-idler@3.11.569-1.g39cfc66.el7?arch=x86_64" } } }, { "category": "product_version", "name": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "product": { "name": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "product_id": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-web-console@3.11.569-1.g3e485e6.el7?arch=x86_64" } } }, { "category": "product_version", "name": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "product": { "name": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "product_id": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/golang-github-openshift-oauth-proxy@3.11.569-1.gedebe84.el7?arch=x86_64" } } }, { "category": "product_version", "name": "prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "product": { "name": "prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "product_id": "prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/prometheus-alertmanager@3.11.569-1.g13de638.el7?arch=x86_64" } } }, { "category": "product_version", "name": "prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "product": { "name": "prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "product_id": "prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/prometheus-node-exporter@3.11.569-1.g609cd20.el7?arch=x86_64" } } }, { "category": "product_version", "name": "prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "product": { "name": "prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "product_id": "prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/prometheus@3.11.569-1.g99aae51.el7?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "product": { "name": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "product_id": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-enterprise-autoheal@3.11.569-1.gf2f435d.el7?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "product": { "name": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "product_id": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-enterprise-cluster-capacity@3.11.569-1.g22be164.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "product": { "name": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "product_id": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-enterprise-service-catalog@3.11.569-1.g2e6be86.el7?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "product": { "name": "atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "product_id": "atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-enterprise-service-catalog-svcat@3.11.569-1.g2e6be86.el7?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product": { "name": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_id": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift@3.11.569-1.git.0.9dc951a.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product": { "name": "atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_id": "atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-clients@3.11.569-1.git.0.9dc951a.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product": { "name": "atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_id": "atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-hyperkube@3.11.569-1.git.0.9dc951a.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product": { "name": "atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_id": "atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-hypershift@3.11.569-1.git.0.9dc951a.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product": { "name": "atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_id": "atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-master@3.11.569-1.git.0.9dc951a.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product": { "name": "atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_id": "atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-node@3.11.569-1.git.0.9dc951a.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product": { "name": "atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_id": "atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-pod@3.11.569-1.git.0.9dc951a.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product": { "name": "atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_id": "atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-sdn-ovs@3.11.569-1.git.0.9dc951a.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product": { "name": "atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_id": "atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-template-service-broker@3.11.569-1.git.0.9dc951a.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product": { "name": "atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_id": "atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-tests@3.11.569-1.git.0.9dc951a.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "product": { "name": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "product_id": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-cluster-autoscaler@3.11.569-1.g99b2acf.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "product": { "name": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "product_id": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-descheduler@3.11.569-1.gd435537.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "product": { "name": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "product_id": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-metrics-server@3.11.569-1.gf8bf728.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "product": { "name": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "product_id": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-node-problem-detector@3.11.569-1.gc8f26da.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "product": { "name": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "product_id": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-service-idler@3.11.569-1.g39cfc66.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "product": { "name": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "product_id": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/atomic-openshift-web-console@3.11.569-1.g3e485e6.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "product": { "name": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "product_id": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/golang-github-openshift-oauth-proxy@3.11.569-1.gedebe84.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "product": { "name": "prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "product_id": "prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/prometheus-alertmanager@3.11.569-1.g13de638.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "product": { "name": "prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "product_id": "prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/prometheus-node-exporter@3.11.569-1.g609cd20.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "product": { "name": "prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "product_id": "prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/prometheus@3.11.569-1.g99aae51.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "product": { "name": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "product_id": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-enterprise-autoheal@3.11.569-1.gf2f435d.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "product": { "name": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "product_id": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-enterprise-cluster-capacity@3.11.569-1.g22be164.el7?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le" }, "product_reference": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src" }, "product_reference": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64" }, "product_reference": "atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le" }, "product_reference": "atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64" }, "product_reference": "atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le" }, "product_reference": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src" }, "product_reference": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le" }, "product_reference": "atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le" }, "product_reference": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src" }, "product_reference": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64" }, "product_reference": "atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le" }, "product_reference": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src" }, "product_reference": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64" }, "product_reference": "atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch" }, "product_reference": "atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src" }, "product_reference": "atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64" }, "product_reference": "atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch" }, "product_reference": "atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le" }, "product_reference": "atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le" }, "product_reference": "atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le" }, "product_reference": "atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le" }, "product_reference": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src" }, "product_reference": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64" }, "product_reference": "atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le" }, "product_reference": "atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le" }, "product_reference": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src" }, "product_reference": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64" }, "product_reference": "atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le" }, "product_reference": "atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le" }, "product_reference": "atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le" }, "product_reference": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src" }, "product_reference": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64" }, "product_reference": "atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le" }, "product_reference": "atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le" }, "product_reference": "atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64" }, "product_reference": "atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le" }, "product_reference": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src" }, "product_reference": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64" }, "product_reference": "atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le" }, "product_reference": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src" }, "product_reference": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64" }, "product_reference": "golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src" }, "product_reference": "golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src" }, "product_reference": "golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src" }, "product_reference": "golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.303.3.1637698110-1.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch" }, "product_reference": "jenkins-0:2.303.3.1637698110-1.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.303.3.1637698110-1.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" }, "product_reference": "jenkins-0:2.303.3.1637698110-1.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch" }, "product_reference": "jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:3.11.1637699107-1.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src" }, "product_reference": "jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch" }, "product_reference": "openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src" }, "product_reference": "openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch" }, "product_reference": "openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch" }, "product_reference": "openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch" }, "product_reference": "openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch" }, "product_reference": "openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le" }, "product_reference": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src" }, "product_reference": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64" }, "product_reference": "openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le" }, "product_reference": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src" }, "product_reference": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64" }, "product_reference": "openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src" }, "product_reference": "openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch" }, "product_reference": "openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch" }, "product_reference": "openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch" }, "product_reference": "openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "prometheus-0:3.11.569-1.g99aae51.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le" }, "product_reference": "prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "prometheus-0:3.11.569-1.g99aae51.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64" }, "product_reference": "prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le" }, "product_reference": "prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64" }, "product_reference": "prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le" }, "product_reference": "prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64" }, "product_reference": "prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" }, { "category": "default_component_of", "full_product_name": { "name": "python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" }, "product_reference": "python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-21685", "cwe": { "id": "CWE-281", "name": "Improper Preservation of Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020322" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#mkdirs does not check permission to create parent directories, which may allow an attacker who controls the agent process to get read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#mkdirs does not check permission to create parent directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21685" }, { "category": "external", "summary": "RHBZ#2020322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020322" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21685", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21685" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#mkdirs does not check permission to create parent directories" }, { "cve": "CVE-2021-21686", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020323" } ], "notes": [ { "category": "description", "text": "A link following vulnerability was found in Jenkins. The file path filters do not canonicalize paths allowing operations to follow symbolic links to directories they are not supposed to have access to. This may allow an attacker to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21686" }, { "category": "external", "summary": "RHBZ#2020323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020323" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21686", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21686" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories" }, { "cve": "CVE-2021-21687", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020324" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link, which may allow an attacker to get read and write access to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21687" }, { "category": "external", "summary": "RHBZ#2020324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020324" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21687", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21687" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21687", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21687" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link" }, { "cve": "CVE-2021-21688", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020327" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in Jenkins. The FilePath#reading(FileVisitor) does not reject any operations giving users unrestricted read access with certain operations (creating archives, #copyRecursiveTo). This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21688" }, { "category": "external", "summary": "RHBZ#2020327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020327" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21688", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21688" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21688", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21688" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access" }, { "cve": "CVE-2021-21689", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020335" } ], "notes": [ { "category": "description", "text": "An incorrect access control vulnerability was found in Jenkins. The FilePath#unzip and FilePath#untar were not subjected to any access control. An attacker with access to FilePath#unzip or FilePath#untar operations is able to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#unzip and FilePath#untar were not subject to any access control", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21689" }, { "category": "external", "summary": "RHBZ#2020335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020335" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21689", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21689" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21689", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21689" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#unzip and FilePath#untar were not subject to any access control" }, { "cve": "CVE-2021-21690", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020336" } ], "notes": [ { "category": "description", "text": "A file path filtering bypass vulnerability was found in Jenkins. Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path. This may allow an attacker who controls the agent process to get read and write access to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21690" }, { "category": "external", "summary": "RHBZ#2020336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020336" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21690", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21690" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21690", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21690" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path" }, { "cve": "CVE-2021-21691", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020338" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jenkins which failed to correctly validate permissions. This flaw allowed any user to create symbolic links regardless if they had the symlink permission. It may allow an attacker to read and write to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Creating symbolic links is possible without the symlink permission", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21691" }, { "category": "external", "summary": "RHBZ#2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21691", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21691" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21691", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21691" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Creating symbolic links is possible without the symlink permission" }, { "cve": "CVE-2021-21692", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020339" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path which may allow an attacker who has access to these operations to be able to read and write to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21692" }, { "category": "external", "summary": "RHBZ#2020339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020339" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21692", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21692" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path" }, { "cve": "CVE-2021-21693", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020341" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The permissions to create temporary files are only checked after they have been created. This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created.", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21693" }, { "category": "external", "summary": "RHBZ#2020341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020341" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21693", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21693" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created." }, { "cve": "CVE-2021-21694", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020342" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions, which may allow an attacker who has access to any of these operations to be able to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21694" }, { "category": "external", "summary": "RHBZ#2020342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020342" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21694", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21694" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21694", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21694" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions" }, { "cve": "CVE-2021-21695", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020343" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#listFiles lists files outside directories with agent read access when following symbolic links. This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21695" }, { "category": "external", "summary": "RHBZ#2020343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020343" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21695", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21695" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21695", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21695" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links." }, { "cve": "CVE-2021-21696", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020344" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. An agent process read/write access to the libs/ directory inside build directories when using the FilePath APIs is not limited. This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21696" }, { "category": "external", "summary": "RHBZ#2020344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020344" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21696", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21696" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21696", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21696" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin" }, { "cve": "CVE-2021-21697", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020345" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in Jenkins. The directories agents are allowed to access include the directories where there are stored build-related information intended to allow agents to store build-related metadata during build execution. As a consequence, this allows an attacker who controls agent process to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent-to-controller access control allows reading/writing most content of build directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21697" }, { "category": "external", "summary": "RHBZ#2020345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020345" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21697", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21697" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent-to-controller access control allows reading/writing most content of build directories" }, { "cve": "CVE-2021-21698", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020385" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in the Subversion Plugin for Jenkins. An agent\u0027s ability to learn the name of a file is not restricted when looking up a subversion key file on the controller. This may allow attackers to control agent processes and read arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.src", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-enterprise-service-catalog-svcat-1:3.11.569-1.g2e6be86.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-clients-redistributable-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-cluster-autoscaler-0:3.11.569-1.g99b2acf.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-descheduler-0:3.11.569-1.gd435537.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-docker-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-dockerregistry-0:3.11.569-1.g3571208.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-excluder-0:3.11.569-1.git.0.9dc951a.el7.noarch", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hyperkube-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-hypershift-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-master-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-metrics-server-0:3.11.569-1.gf8bf728.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-node-problem-detector-0:3.11.569-1.gc8f26da.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-pod-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-sdn-ovs-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-service-idler-0:3.11.569-1.g39cfc66.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-template-service-broker-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-tests-0:3.11.569-1.git.0.9dc951a.el7.x86_64", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.ppc64le", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.src", "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.569-1.g3e485e6.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.ppc64le", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-openshift-oauth-proxy-0:3.11.569-1.gedebe84.el7.x86_64", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-alertmanager-0:3.11.569-1.g13de638.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-node_exporter-0:3.11.569-1.g609cd20.el7.src", "7Server-RH7-RHOSE-3.11:golang-github-prometheus-prometheus-0:3.11.569-1.g99aae51.el7.src", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-0:2.303.3.1637698110-1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-0:3.11.569-1.git.0.9620ba1.el7.src", "7Server-RH7-RHOSE-3.11:openshift-ansible-docs-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-playbooks-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-roles-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-ansible-test-0:3.11.569-1.git.0.9620ba1.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-autoheal-0:3.11.569-1.gf2f435d.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.ppc64le", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.src", "7Server-RH7-RHOSE-3.11:openshift-enterprise-cluster-capacity-0:3.11.569-1.g22be164.el7.x86_64", "7Server-RH7-RHOSE-3.11:openshift-kuryr-0:3.11.569-1.g0c4bf66.el7.src", "7Server-RH7-RHOSE-3.11:openshift-kuryr-cni-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-common-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:openshift-kuryr-controller-0:3.11.569-1.g0c4bf66.el7.noarch", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-0:3.11.569-1.g99aae51.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-alertmanager-0:3.11.569-1.g13de638.el7.x86_64", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.ppc64le", "7Server-RH7-RHOSE-3.11:prometheus-node-exporter-0:3.11.569-1.g609cd20.el7.x86_64", "7Server-RH7-RHOSE-3.11:python2-kuryr-kubernetes-0:3.11.569-1.g0c4bf66.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21698" }, { "category": "external", "summary": "RHBZ#2020385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020385" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21698", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21698" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21698", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21698" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2506", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2506" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-02T22:04:06+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system is applied.\n\nSee the following documentation, which will be updated shortly for release 3.11.569, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4827" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.noarch", "7Server-RH7-RHOSE-3.11:jenkins-2-plugins-0:3.11.1637699107-1.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key" } ] }
rhsa-2021_4801
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.7.38 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container\nPlatform 4.7.38. See the following advisory for the container images for\nthis release:\n\nhttps://access.redhat.com/errata/RHBA-2021:4802\n\nAll OpenShift Container Platform 4.7 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor\nSecurity Fix(es):\n\n* jenkins-2-plugins/subversion: does not restrict the name of a file when\nlooking up a subversion key (CVE-2021-21698)\n* jenkins: FilePath#mkdirs does not check permission to create parent\ndirectories (CVE-2021-21685)\n* jenkins: File path filters do not canonicalize paths, allowing operations\nto follow symbolic links to outside allowed directories (CVE-2021-21686)\n* jenkins: FilePath#untar does not check permission to create symbolic\nlinks when unarchiving a symbolic link (CVE-2021-21687)\n* jenkins: FilePath#reading(FileVisitor) does not reject any operations\nallowing users to have unrestricted read access (CVE-2021-21688)\n* jenkins: FilePath#unzip and FilePath#untar were not subject to any access\ncontrol (CVE-2021-21689)\n* jenkins: Agent processes are able to completely bypass file path\nfiltering by wrapping the file operation in an agent file path\n(CVE-2021-21690)\n* jenkins: Creating symbolic links is possible without the symlink\npermission (CVE-2021-21691)\n* jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo\nonly check read permission on the source path (CVE-2021-21692)\n* jenkins: When creating temporary files, permission to create files is\nonly checked after they\u2019ve been created. (CVE-2021-21693)\n* jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,\nFilePath#isDescendant, and FilePath#get*DiskSpace do not check any\npermissions (CVE-2021-21694)\n* jenkins: FilePath#listFiles lists files outside directories with agent\nread access when following symbolic links. (CVE-2021-21695)\n* jenkins: Agent-to-controller access control allowed writing to sensitive\ndirectory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)\n* jenkins: Agent-to-controller access control allows reading/writing most\ncontent of build directories (CVE-2021-21697)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:4801", "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2020322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020322" }, { "category": "external", "summary": "2020323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020323" }, { "category": "external", "summary": "2020324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020324" }, { "category": "external", "summary": "2020327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020327" }, { "category": "external", "summary": "2020335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020335" }, { "category": "external", "summary": "2020336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020336" }, { "category": "external", "summary": "2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338" }, { "category": "external", "summary": "2020339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020339" }, { "category": "external", "summary": "2020341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020341" }, { "category": "external", "summary": "2020342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020342" }, { "category": "external", "summary": "2020343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020343" }, { "category": "external", "summary": "2020344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020344" }, { "category": "external", "summary": "2020345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020345" }, { "category": "external", "summary": "2020385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020385" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4801.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.38 security update", "tracking": { "current_release_date": "2024-11-06T00:11:59+00:00", "generator": { "date": "2024-11-06T00:11:59+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:4801", "initial_release_date": "2021-12-01T12:28:59+00:00", "revision_history": [ { "date": "2021-12-01T12:28:59+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-01T12:28:59+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:11:59+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "7Server-RH7-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el7" } } }, { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "product": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "product_id": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.20.6-3.rhaos4.7.git4603183.el7?arch=src" } } }, { "category": "product_version", "name": "openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "product": { "name": "openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "product_id": "openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift@4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7?arch=src" } } }, { "category": "product_version", "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "product": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "product_id": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.20.6-3.rhaos4.7.git4603183.el8?arch=src" } } }, { "category": "product_version", "name": "jenkins-0:2.303.3.1637597018-1.el8.src", "product": { "name": "jenkins-0:2.303.3.1637597018-1.el8.src", "product_id": "jenkins-0:2.303.3.1637597018-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.303.3.1637597018-1.el8?arch=src" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "product": { "name": "jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "product_id": "jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.7.1637600997-1.el8?arch=src" } } }, { "category": "product_version", "name": "openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "product": { "name": "openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "product_id": "openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift@4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "product": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "product_id": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.20.6-3.rhaos4.7.git4603183.el7?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "product": { "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "product_id": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.20.6-3.rhaos4.7.git4603183.el7?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "product": { "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "product_id": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "product": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "product_id": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.20.6-3.rhaos4.7.git4603183.el8?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "product": { "name": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "product_id": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.20.6-3.rhaos4.7.git4603183.el8?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "product": { "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "product_id": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.20.6-3.rhaos4.7.git4603183.el8?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64", "product": { "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64", "product_id": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "product": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "product_id": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.20.6-3.rhaos4.7.git4603183.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "product": { "name": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "product_id": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.20.6-3.rhaos4.7.git4603183.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "product": { "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "product_id": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.20.6-3.rhaos4.7.git4603183.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "product": { "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "product_id": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "product": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "product_id": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.20.6-3.rhaos4.7.git4603183.el8?arch=s390x" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "product": { "name": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "product_id": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.20.6-3.rhaos4.7.git4603183.el8?arch=s390x" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "product": { "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "product_id": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.20.6-3.rhaos4.7.git4603183.el8?arch=s390x" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "product": { "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "product_id": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8?arch=s390x" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "jenkins-0:2.303.3.1637597018-1.el8.noarch", "product": { "name": "jenkins-0:2.303.3.1637597018-1.el8.noarch", "product_id": "jenkins-0:2.303.3.1637597018-1.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.303.3.1637597018-1.el8?arch=noarch" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "product": { "name": "jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "product_id": "jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.7.1637600997-1.el8?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src" }, "product_reference": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64" }, "product_reference": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64" }, "product_reference": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src" }, "product_reference": "openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64" }, "product_reference": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le" }, "product_reference": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x" }, "product_reference": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src" }, "product_reference": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64" }, "product_reference": "cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le" }, "product_reference": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x" }, "product_reference": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64" }, "product_reference": "cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le" }, "product_reference": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x" }, "product_reference": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64" }, "product_reference": "cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.303.3.1637597018-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch" }, "product_reference": "jenkins-0:2.303.3.1637597018-1.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.303.3.1637597018-1.el8.src as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" }, "product_reference": "jenkins-0:2.303.3.1637597018-1.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch" }, "product_reference": "jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.7.1637600997-1.el8.src as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src" }, "product_reference": "jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src" }, "product_reference": "openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le" }, "product_reference": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x" }, "product_reference": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" }, "product_reference": "openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-21685", "cwe": { "id": "CWE-281", "name": "Improper Preservation of Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020322" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#mkdirs does not check permission to create parent directories, which may allow an attacker who controls the agent process to get read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#mkdirs does not check permission to create parent directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21685" }, { "category": "external", "summary": "RHBZ#2020322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020322" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21685", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21685" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#mkdirs does not check permission to create parent directories" }, { "cve": "CVE-2021-21686", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020323" } ], "notes": [ { "category": "description", "text": "A link following vulnerability was found in Jenkins. The file path filters do not canonicalize paths allowing operations to follow symbolic links to directories they are not supposed to have access to. This may allow an attacker to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21686" }, { "category": "external", "summary": "RHBZ#2020323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020323" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21686", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21686" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories" }, { "cve": "CVE-2021-21687", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020324" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link, which may allow an attacker to get read and write access to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21687" }, { "category": "external", "summary": "RHBZ#2020324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020324" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21687", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21687" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21687", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21687" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link" }, { "cve": "CVE-2021-21688", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020327" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in Jenkins. The FilePath#reading(FileVisitor) does not reject any operations giving users unrestricted read access with certain operations (creating archives, #copyRecursiveTo). This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21688" }, { "category": "external", "summary": "RHBZ#2020327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020327" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21688", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21688" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21688", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21688" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access" }, { "cve": "CVE-2021-21689", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020335" } ], "notes": [ { "category": "description", "text": "An incorrect access control vulnerability was found in Jenkins. The FilePath#unzip and FilePath#untar were not subjected to any access control. An attacker with access to FilePath#unzip or FilePath#untar operations is able to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#unzip and FilePath#untar were not subject to any access control", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21689" }, { "category": "external", "summary": "RHBZ#2020335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020335" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21689", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21689" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21689", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21689" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#unzip and FilePath#untar were not subject to any access control" }, { "cve": "CVE-2021-21690", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020336" } ], "notes": [ { "category": "description", "text": "A file path filtering bypass vulnerability was found in Jenkins. Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path. This may allow an attacker who controls the agent process to get read and write access to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21690" }, { "category": "external", "summary": "RHBZ#2020336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020336" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21690", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21690" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21690", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21690" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path" }, { "cve": "CVE-2021-21691", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020338" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jenkins which failed to correctly validate permissions. This flaw allowed any user to create symbolic links regardless if they had the symlink permission. It may allow an attacker to read and write to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Creating symbolic links is possible without the symlink permission", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21691" }, { "category": "external", "summary": "RHBZ#2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21691", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21691" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21691", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21691" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Creating symbolic links is possible without the symlink permission" }, { "cve": "CVE-2021-21692", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020339" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path which may allow an attacker who has access to these operations to be able to read and write to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21692" }, { "category": "external", "summary": "RHBZ#2020339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020339" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21692", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21692" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path" }, { "cve": "CVE-2021-21693", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020341" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The permissions to create temporary files are only checked after they have been created. This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created.", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21693" }, { "category": "external", "summary": "RHBZ#2020341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020341" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21693", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21693" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created." }, { "cve": "CVE-2021-21694", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020342" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions, which may allow an attacker who has access to any of these operations to be able to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21694" }, { "category": "external", "summary": "RHBZ#2020342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020342" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21694", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21694" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21694", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21694" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions" }, { "cve": "CVE-2021-21695", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020343" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#listFiles lists files outside directories with agent read access when following symbolic links. This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21695" }, { "category": "external", "summary": "RHBZ#2020343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020343" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21695", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21695" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21695", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21695" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links." }, { "cve": "CVE-2021-21696", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020344" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. An agent process read/write access to the libs/ directory inside build directories when using the FilePath APIs is not limited. This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21696" }, { "category": "external", "summary": "RHBZ#2020344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020344" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21696", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21696" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21696", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21696" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin" }, { "cve": "CVE-2021-21697", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020345" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in Jenkins. The directories agents are allowed to access include the directories where there are stored build-related information intended to allow agents to store build-related metadata during build execution. As a consequence, this allows an attacker who controls agent process to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent-to-controller access control allows reading/writing most content of build directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21697" }, { "category": "external", "summary": "RHBZ#2020345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020345" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21697", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21697" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent-to-controller access control allows reading/writing most content of build directories" }, { "cve": "CVE-2021-21698", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020385" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in the Subversion Plugin for Jenkins. An agent\u0027s ability to learn the name of a file is not restricted when looking up a subversion key file on the controller. This may allow attackers to control agent processes and read arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.src", "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el7.x86_64", "7Server-RH7-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.src", "8Base-RHOSE-4.7:cri-o-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.ppc64le", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.s390x", "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.6-3.rhaos4.7.git4603183.el8.x86_64", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-0:2.303.3.1637597018-1.el8.src", "8Base-RHOSE-4.7:openshift-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x", "8Base-RHOSE-4.7:openshift-hyperkube-0:4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21698" }, { "category": "external", "summary": "RHBZ#2020385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020385" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21698", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21698" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21698", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21698" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2506", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2506" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-01T12:28:59+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4801" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.noarch", "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1637600997-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key" } ] }
rhsa-2021_4833
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.9.9 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.9. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHSA-2021:4834\n\nSecurity Fix(es):\n\n* jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n* jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n* jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)\n* jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n* jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n* jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n* jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)\n* jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n* jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n* jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created. (CVE-2021-21693)\n* jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n* jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n* jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)\n* jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:4833", "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2020322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020322" }, { "category": "external", "summary": "2020323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020323" }, { "category": "external", "summary": "2020324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020324" }, { "category": "external", "summary": "2020327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020327" }, { "category": "external", "summary": "2020335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020335" }, { "category": "external", "summary": "2020336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020336" }, { "category": "external", "summary": "2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338" }, { "category": "external", "summary": "2020339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020339" }, { "category": "external", "summary": "2020341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020341" }, { "category": "external", "summary": "2020342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020342" }, { "category": "external", "summary": "2020343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020343" }, { "category": "external", "summary": "2020344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020344" }, { "category": "external", "summary": "2020345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020345" }, { "category": "external", "summary": "2020385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020385" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4833.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.9.9 security update", "tracking": { "current_release_date": "2024-11-06T00:11:48+00:00", "generator": { "date": "2024-11-06T00:11:48+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:4833", "initial_release_date": "2021-11-29T10:40:21+00:00", "revision_history": [ { "date": "2021-11-29T10:40:21+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-11-29T10:40:21+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:11:48+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.9", "product": { "name": "Red Hat OpenShift Container Platform 4.9", "product_id": "7Server-RH7-RHOSE-4.9", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.9::el7" } } }, { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.9", "product": { "name": "Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.9::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "product": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "product_id": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.22.1-4.rhaos4.9.gite3dfe61.el7?arch=src" } } }, { "category": "product_version", "name": "openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "product": { "name": "openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "product_id": "openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift@4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7?arch=src" } } }, { "category": "product_version", "name": "container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "product": { "name": "container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "product_id": "container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/container-selinux@2.170.0-2.rhaos4.9.el8?arch=src\u0026epoch=2" } } }, { "category": "product_version", "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "product": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "product_id": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=src" } } }, { "category": "product_version", "name": "jenkins-0:2.303.3.1637595827-1.el8.src", "product": { "name": "jenkins-0:2.303.3.1637595827-1.el8.src", "product_id": "jenkins-0:2.303.3.1637595827-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.303.3.1637595827-1.el8?arch=src" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "product": { "name": "jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "product_id": "jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.9.1637598812-1.el8?arch=src" } } }, { "category": "product_version", "name": "openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "product": { "name": "openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "product_id": "openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr@4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8?arch=src" } } }, { "category": "product_version", "name": "python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "product": { "name": "python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "product_id": "python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/python-sushy@3.12.1-0.20211122142104.806622c.el8?arch=src" } } }, { "category": "product_version", "name": "openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "product": { "name": "openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "product_id": "openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift@4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "product": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "product_id": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.22.1-4.rhaos4.9.gite3dfe61.el7?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "product": { "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "product_id": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.22.1-4.rhaos4.9.gite3dfe61.el7?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "product": { "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "product_id": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "product": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "product_id": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "product": { "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "product_id": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "product": { "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "product_id": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "product": { "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "product_id": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "product": { "name": "container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "product_id": "container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/container-selinux@2.170.0-2.rhaos4.9.el8?arch=noarch\u0026epoch=2" } } }, { "category": "product_version", "name": "jenkins-0:2.303.3.1637595827-1.el8.noarch", "product": { "name": "jenkins-0:2.303.3.1637595827-1.el8.noarch", "product_id": "jenkins-0:2.303.3.1637595827-1.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.303.3.1637595827-1.el8?arch=noarch" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "product": { "name": "jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "product_id": "jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.9.1637598812-1.el8?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product": { "name": "openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product_id": "openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-cni@4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product": { "name": "openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product_id": "openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-common@4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product": { "name": "openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product_id": "openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-kuryr-controller@4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product": { "name": "python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product_id": "python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-kuryr-kubernetes@4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8?arch=noarch" } } }, { "category": "product_version", "name": "python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "product": { "name": "python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "product_id": "python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-sushy@3.12.1-0.20211122142104.806622c.el8?arch=noarch" } } }, { "category": "product_version", "name": "python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch", "product": { "name": "python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch", "product_id": "python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-sushy-tests@3.12.1-0.20211122142104.806622c.el8?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "product": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "product_id": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=aarch64" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "product": { "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "product_id": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=aarch64" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "product": { "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "product_id": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=aarch64" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "product": { "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "product_id": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8?arch=aarch64" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "product": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "product_id": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "product": { "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "product_id": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "product": { "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "product_id": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "product": { "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "product_id": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "product": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "product_id": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=s390x" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "product": { "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "product_id": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=s390x" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "product": { "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "product_id": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.22.1-4.rhaos4.9.gite3dfe61.el8?arch=s390x" } } }, { "category": "product_version", "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "product": { "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "product_id": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-hyperkube@4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8?arch=s390x" } } } ], "category": "architecture", "name": "s390x" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src" }, "product_reference": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64" }, "product_reference": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64" }, "product_reference": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src" }, "product_reference": "openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64" }, "product_reference": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch" }, "product_reference": "container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "container-selinux-2:2.170.0-2.rhaos4.9.el8.src as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src" }, "product_reference": "container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64" }, "product_reference": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le" }, "product_reference": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x" }, "product_reference": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src" }, "product_reference": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64" }, "product_reference": "cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64" }, "product_reference": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le" }, "product_reference": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x" }, "product_reference": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64" }, "product_reference": "cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64" }, "product_reference": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le" }, "product_reference": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x" }, "product_reference": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64" }, "product_reference": "cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.303.3.1637595827-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch" }, "product_reference": "jenkins-0:2.303.3.1637595827-1.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.303.3.1637595827-1.el8.src as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" }, "product_reference": "jenkins-0:2.303.3.1637595827-1.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch" }, "product_reference": "jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.9.1637598812-1.el8.src as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src" }, "product_reference": "jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src" }, "product_reference": "openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64" }, "product_reference": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le" }, "product_reference": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x" }, "product_reference": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64" }, "product_reference": "openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src" }, "product_reference": "openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch" }, "product_reference": "openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch" }, "product_reference": "openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch" }, "product_reference": "openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src" }, "product_reference": "python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch" }, "product_reference": "python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch" }, "product_reference": "python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9", "product_id": "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" }, "product_reference": "python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.9" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-21685", "cwe": { "id": "CWE-281", "name": "Improper Preservation of Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020322" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#mkdirs does not check permission to create parent directories, which may allow an attacker who controls the agent process to get read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#mkdirs does not check permission to create parent directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21685" }, { "category": "external", "summary": "RHBZ#2020322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020322" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21685", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21685" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#mkdirs does not check permission to create parent directories" }, { "cve": "CVE-2021-21686", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020323" } ], "notes": [ { "category": "description", "text": "A link following vulnerability was found in Jenkins. The file path filters do not canonicalize paths allowing operations to follow symbolic links to directories they are not supposed to have access to. This may allow an attacker to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21686" }, { "category": "external", "summary": "RHBZ#2020323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020323" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21686", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21686" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories" }, { "cve": "CVE-2021-21687", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020324" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link, which may allow an attacker to get read and write access to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21687" }, { "category": "external", "summary": "RHBZ#2020324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020324" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21687", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21687" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21687", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21687" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link" }, { "cve": "CVE-2021-21688", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020327" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in Jenkins. The FilePath#reading(FileVisitor) does not reject any operations giving users unrestricted read access with certain operations (creating archives, #copyRecursiveTo). This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21688" }, { "category": "external", "summary": "RHBZ#2020327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020327" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21688", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21688" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21688", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21688" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access" }, { "cve": "CVE-2021-21689", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020335" } ], "notes": [ { "category": "description", "text": "An incorrect access control vulnerability was found in Jenkins. The FilePath#unzip and FilePath#untar were not subjected to any access control. An attacker with access to FilePath#unzip or FilePath#untar operations is able to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#unzip and FilePath#untar were not subject to any access control", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21689" }, { "category": "external", "summary": "RHBZ#2020335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020335" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21689", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21689" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21689", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21689" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#unzip and FilePath#untar were not subject to any access control" }, { "cve": "CVE-2021-21690", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020336" } ], "notes": [ { "category": "description", "text": "A file path filtering bypass vulnerability was found in Jenkins. Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path. This may allow an attacker who controls the agent process to get read and write access to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21690" }, { "category": "external", "summary": "RHBZ#2020336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020336" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21690", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21690" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21690", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21690" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path" }, { "cve": "CVE-2021-21691", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020338" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jenkins which failed to correctly validate permissions. This flaw allowed any user to create symbolic links regardless if they had the symlink permission. It may allow an attacker to read and write to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Creating symbolic links is possible without the symlink permission", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21691" }, { "category": "external", "summary": "RHBZ#2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21691", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21691" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21691", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21691" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Creating symbolic links is possible without the symlink permission" }, { "cve": "CVE-2021-21692", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020339" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path which may allow an attacker who has access to these operations to be able to read and write to arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21692" }, { "category": "external", "summary": "RHBZ#2020339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020339" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21692", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21692" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path" }, { "cve": "CVE-2021-21693", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020341" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The permissions to create temporary files are only checked after they have been created. This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created.", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21693" }, { "category": "external", "summary": "RHBZ#2020341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020341" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21693", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21693" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created." }, { "cve": "CVE-2021-21694", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020342" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions, which may allow an attacker who has access to any of these operations to be able to read and write arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21694" }, { "category": "external", "summary": "RHBZ#2020342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020342" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21694", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21694" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21694", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21694" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions" }, { "cve": "CVE-2021-21695", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020343" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#listFiles lists files outside directories with agent read access when following symbolic links. This may allow an attacker to get access to restricted data.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21695" }, { "category": "external", "summary": "RHBZ#2020343", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020343" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21695", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21695" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21695", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21695" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links." }, { "cve": "CVE-2021-21696", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020344" } ], "notes": [ { "category": "description", "text": "An incorrect permissions validation vulnerability was found in Jenkins. An agent process read/write access to the libs/ directory inside build directories when using the FilePath APIs is not limited. This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21696" }, { "category": "external", "summary": "RHBZ#2020344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020344" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21696", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21696" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21696", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21696" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin" }, { "cve": "CVE-2021-21697", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020345" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in Jenkins. The directories agents are allowed to access include the directories where there are stored build-related information intended to allow agents to store build-related metadata during build execution. As a consequence, this allows an attacker who controls agent process to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Agent-to-controller access control allows reading/writing most content of build directories", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21697" }, { "category": "external", "summary": "RHBZ#2020345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020345" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21697", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21697" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Agent-to-controller access control allows reading/writing most content of build directories" }, { "cve": "CVE-2021-21698", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-11-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2020385" } ], "notes": [ { "category": "description", "text": "An incorrect access restriction vulnerability was found in the Subversion Plugin for Jenkins. An agent\u0027s ability to learn the name of a file is not restricted when looking up a subversion key file on the controller. This may allow attackers to control agent processes and read arbitrary files on the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.src", "7Server-RH7-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64", "7Server-RH7-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src", "7Server-RH7-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.noarch", "8Base-RHOSE-4.9:container-selinux-2:2.170.0-2.rhaos4.9.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.src", "8Base-RHOSE-4.9:cri-o-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debuginfo-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.aarch64", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.s390x", "8Base-RHOSE-4.9:cri-o-debugsource-0:1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-0:2.303.3.1637595827-1.el8.src", "8Base-RHOSE-4.9:openshift-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.aarch64", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.s390x", "8Base-RHOSE-4.9:openshift-hyperkube-0:4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64", "8Base-RHOSE-4.9:openshift-kuryr-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src", "8Base-RHOSE-4.9:openshift-kuryr-cni-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-common-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:openshift-kuryr-controller-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python-sushy-0:3.12.1-0.20211122142104.806622c.el8.src", "8Base-RHOSE-4.9:python3-kuryr-kubernetes-0:4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-0:3.12.1-0.20211122142104.806622c.el8.noarch", "8Base-RHOSE-4.9:python3-sushy-tests-0:3.12.1-0.20211122142104.806622c.el8.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21698" }, { "category": "external", "summary": "RHBZ#2020385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020385" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21698", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21698" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21698", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21698" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2506", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2506" } ], "release_date": "2021-11-04T14:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-11-29T10:40:21+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:4833" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.noarch", "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1637598812-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key" } ] }
gsd-2021-21692
Vulnerability from gsd
{ "GSD": { "alias": "CVE-2021-21692", "description": "FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check \u0027read\u0027 agent-to-controller access permission on the source path, instead of \u0027delete\u0027.", "id": "GSD-2021-21692", "references": [ "https://access.redhat.com/errata/RHSA-2021:4833", "https://access.redhat.com/errata/RHSA-2021:4829", "https://access.redhat.com/errata/RHSA-2021:4827", "https://access.redhat.com/errata/RHSA-2021:4801", "https://access.redhat.com/errata/RHSA-2021:4799", "https://security.archlinux.org/CVE-2021-21692" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2021-21692" ], "details": "FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check \u0027read\u0027 agent-to-controller access permission on the source path, instead of \u0027delete\u0027.", "id": "GSD-2021-21692", "modified": "2023-12-13T01:23:10.958228Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21692", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Jenkins", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "unspecified", "version_value": "2.318" } ] } } ] }, "vendor_name": "Jenkins project" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check \u0027read\u0027 agent-to-controller access permission on the source path, instead of \u0027delete\u0027." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "refsource": "MISC", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ] } }, "gitlab.com": { "advisories": [ { "affected_range": "(,2.319)", "affected_versions": "All versions before 2.319", "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-863", "CWE-937" ], "date": "2021-11-09", "description": "FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins only check \u0027read\u0027 agent-to-controller access permission on the source path, instead of \u0027delete\u0027.", "fixed_versions": [], "identifier": "CVE-2021-21692", "identifiers": [ "CVE-2021-21692" ], "not_impacted": "", "package_slug": "maven/org.jenkins-ci.main/jenkins-core", "pubdate": "2021-11-04", "solution": "Unfortunately, there is no solution available yet.", "title": "Incorrect Authorization", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-21692", "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" ], "uuid": "d99f3290-1bca-4732-ac90-989de21b35b4" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "cpe_name": [], "versionEndExcluding": "2.303.3", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "cpe_name": [], "versionEndExcluding": "2.319", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21692" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check \u0027read\u0027 agent-to-controller access permission on the source path, instead of \u0027delete\u0027." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-22" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "refsource": "CONFIRM", "tags": [ "Vendor Advisory" ], "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 5.9 } }, "lastModifiedDate": "2023-11-22T21:23Z", "publishedDate": "2021-11-04T17:15Z" } } }
ghsa-8xg4-xq2v-v6j7
Vulnerability from github
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.
Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
SECURITY-2538 / CVE-2021-21692: The operations FilePath#renameTo
and FilePath#moveAllChildrenTo
only check read permission on the source path.
We expect that most of these vulnerabilities have been present since SECURITY-144 was addressed in the 2014-10-30 security advisory.
Jenkins 2.319, LTS 2.303.3 addresses these security vulnerabilities.
SECURITY-2538 / CVE-2021-21692: The operations FilePath#renameTo
and FilePath#moveAllChildrenTo
check both read and delete permissions on the source path.
As some common operations are now newly subject to access control, it is expected that plugins sending commands from agents to the controller may start failing. Additionally, the newly introduced path canonicalization means that instances using a custom builds directory (Java system property jenkins.model.Jenkins.buildsDir) or partitioning JENKINS_HOME
using symbolic links may fail access control checks. See the documentation for how to customize the configuration in case of problems.
If you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, you can install the Remoting Security Workaround Plugin. It will prevent all agent-to-controller file access using FilePath
APIs. Because it is more restrictive than Jenkins 2.319, LTS 2.303.3, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 2.303.2" }, "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.303.3" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 2.318" }, "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "2.304" }, { "fixed": "2.319" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-21692" ], "database_specific": { "cwe_ids": [ "CWE-22", "CWE-863" ], "github_reviewed": true, "github_reviewed_at": "2022-06-23T06:47:32Z", "nvd_published_at": "2021-11-04T17:15:00Z", "severity": "CRITICAL" }, "details": "The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.\n\nMultiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.\n\nSECURITY-2538 / CVE-2021-21692: The operations `FilePath#renameTo` and `FilePath#moveAllChildrenTo` only check read permission on the source path.\n\nWe expect that most of these vulnerabilities have been present since [SECURITY-144 was addressed in the 2014-10-30 security advisory](https://www.jenkins.io/security/advisory/2014-10-30/).\n\nJenkins 2.319, LTS 2.303.3 addresses these security vulnerabilities.\n\nSECURITY-2538 / CVE-2021-21692: The operations `FilePath#renameTo` and `FilePath#moveAllChildrenTo` check both read and delete permissions on the source path.\n\nAs some common operations are now newly subject to access control, it is expected that plugins sending commands from agents to the controller may start failing. Additionally, the newly introduced path canonicalization means that instances using a custom builds directory ([Java system property jenkins.model.Jenkins.buildsDir](https://www.jenkins.io/doc/book/managing/system-properties/#jenkins-model-jenkins-buildsdir)) or partitioning `JENKINS_HOME` using symbolic links may fail access control checks. See [the documentation](https://www.jenkins.io/doc/book/security/controller-isolation/agent-to-controller/#file-access-rules) for how to customize the configuration in case of problems.\n\nIf you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, you can install the [Remoting Security Workaround Plugin](https://www.jenkins.io/redirect/remoting-security-workaround/). It will prevent all agent-to-controller file access using `FilePath` APIs. Because it is more restrictive than Jenkins 2.319, LTS 2.303.3, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.", "id": "GHSA-8xg4-xq2v-v6j7", "modified": "2022-12-16T20:36:35Z", "published": "2022-05-24T19:19:44Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21692" }, { "type": "WEB", "url": "https://github.com/jenkinsci/jenkins/commit/104c751d907919dd53f5090f84d53c671a66457b" }, { "type": "WEB", "url": "https://github.com/jenkinsci/jenkins/commit/5a245e42979abe4a26d41727c839521e36cedd74" }, { "type": "WEB", "url": "https://github.com/jenkinsci/jenkins/commit/63cde2daadc705edf086f2213b48c8c547f98358" }, { "type": "PACKAGE", "url": "https://github.com/jenkinsci/jenkins" }, { "type": "WEB", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.