Bug 2020342 (CVE-2021-21694)
Summary: | CVE-2021-21694 jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abenaiss, aileenc, aos-bugs, bmontgom, chazlett, drieden, eparis, ggaughan, gmalinko, janstey, jburrell, jochrist, jokerman, jwon, nstielau, pbhattac, pdelbell, spandura, sponnaga, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jenkins 2.319, jenkins LTS 2.303.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
An incorrect permissions validation vulnerability was found in Jenkins. The FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions, which may allow an attacker who has access to any of these operations to be able to read and write arbitrary files on the Jenkins controller file system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-12-02 23:09:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2020611, 2020612, 2020613, 2020614, 2020615, 2020616 | ||
Bug Blocks: | 2020347 |
Description
Michael Kaplan
2021-11-04 16:02:39 UTC
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:4833 https://access.redhat.com/errata/RHSA-2021:4833 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:4829 https://access.redhat.com/errata/RHSA-2021:4829 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:4801 https://access.redhat.com/errata/RHSA-2021:4801 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:4799 https://access.redhat.com/errata/RHSA-2021:4799 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2021:4827 https://access.redhat.com/errata/RHSA-2021:4827 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-21694 |