Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier include the directories storing build-related information, intended to allow agents to store build-related metadata during build execution. As a consequence, this allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).
Reference: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:4833 https://access.redhat.com/errata/RHSA-2021:4833
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:4829 https://access.redhat.com/errata/RHSA-2021:4829
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:4801 https://access.redhat.com/errata/RHSA-2021:4801
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:4799 https://access.redhat.com/errata/RHSA-2021:4799
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2021:4827 https://access.redhat.com/errata/RHSA-2021:4827
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-21697