GHSA-QXP6-27GW-99CJ

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-12-13 15:58
VLAI?
Summary
Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins
Details

Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2.

This allows attackers with Job/Workspace permission and the ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM contents, to create symbolic links that allow them to access files outside workspaces using the workspace browser.

This issue is caused by an incorrectly applied fix for SECURITY-1452 / CVE-2021-21602 in the 2021-01-13 security advisory.

Jenkins 2.276, LTS 2.263.3 no longer differentiates the check and the use of symlinks in workspace browsers.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.263.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.263.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.275"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.264"
            },
            {
              "fixed": "2.276"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21615"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-23T06:50:38Z",
    "nvd_published_at": "2021-01-26T18:16:00Z",
    "severity": "MODERATE"
  },
  "details": "Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and `$JENKINS_HOME/userContent/` follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2.\n\nThis allows attackers with Job/Workspace permission and the ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM contents, to create symbolic links that allow them to access files outside workspaces using the workspace browser.\n\nThis issue is caused by an incorrectly applied fix for SECURITY-1452 / CVE-2021-21602 in the [2021-01-13 security advisory](https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452).\n\nJenkins 2.276, LTS 2.263.3 no longer differentiates the check and the use of symlinks in workspace browsers.",
  "id": "GHSA-qxp6-27gw-99cj",
  "modified": "2022-12-13T15:58:50Z",
  "published": "2022-05-24T17:40:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21615"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-01-26/#SECURITY-2197"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/01/26/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.