Bug 2020322 (CVE-2021-21685)
Summary: | CVE-2021-21685 jenkins: FilePath#mkdirs does not check permission to create parent directories | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abenaiss, aileenc, aos-bugs, bmontgom, chazlett, drieden, eparis, ggaughan, gmalinko, janstey, jburrell, jochrist, jokerman, jwon, nstielau, pbhattac, pdelbell, spandura, sponnaga, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jenkins 2.319, jenkins LTS 2.303.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#mkdirs does not check permission to create parent directories, which may allow an attacker who controls the agent process to get read and write arbitrary files on the Jenkins controller file system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-12-02 22:39:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2020611, 2020612, 2020613, 2020614, 2020615, 2020616 | ||
Bug Blocks: | 2020347 |
Description
Michael Kaplan
2021-11-04 15:33:27 UTC
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:4833 https://access.redhat.com/errata/RHSA-2021:4833 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:4829 https://access.redhat.com/errata/RHSA-2021:4829 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:4801 https://access.redhat.com/errata/RHSA-2021:4801 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:4799 https://access.redhat.com/errata/RHSA-2021:4799 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2021:4827 https://access.redhat.com/errata/RHSA-2021:4827 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-21685 |