ghsa-vpjm-58cw-r8q5
Vulnerability from github
Published
2022-05-24 17:39
Modified
2022-12-13 15:17
Summary
Arbitrary file read vulnerability in workspace browsers in Jenkins
Details

The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.

This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.

This issue is caused by an incomplete fix for SECURITY-904 / CVE-2018-1000862 in the 2018-12-08 security advisory.

Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.

This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.

Show details on source website


{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.263.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.263.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.274"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.264"
            },
            {
              "fixed": "2.275"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-23T06:52:14Z",
    "nvd_published_at": "2021-01-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The file browser for workspaces, archived artifacts, and `$JENKINS_HOME/userContent/` follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.\n\nThis allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.\n\nThis issue is caused by an incomplete fix for SECURITY-904 / CVE-2018-1000862 in the [2018-12-08 security advisory](https://www.jenkins.io/security/advisory/2018-12-05/#SECURITY-904).\n\nJenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.\n\nThis fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.",
  "id": "GHSA-vpjm-58cw-r8q5",
  "modified": "2022-12-13T15:17:03Z",
  "published": "2022-05-24T17:39:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21602"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/71d2ecf1a4e5303e80815eaa3935c4f2fa3d9104"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary file read vulnerability in workspace browsers in Jenkins"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.