Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-evt5-t9pq-n7a7
Summary
Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins
Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and `$JENKINS_HOME/userContent/` follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2.

This allows attackers with Job/Workspace permission and the ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM contents, to create symbolic links that allow them to access files outside workspaces using the workspace browser.

This issue is caused by an incorrectly applied fix for SECURITY-1452 / CVE-2021-21602 in the [2021-01-13 security advisory](https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452).

Jenkins 2.276, LTS 2.263.3 no longer differentiates the check and the use of symlinks in workspace browsers.
Aliases
0
alias CVE-2021-21615
1
alias GHSA-qxp6-27gw-99cj
Fixed_packages
0
url pkg:alpm/archlinux/jenkins@2.276-1
purl pkg:alpm/archlinux/jenkins@2.276-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/jenkins@2.276-1
1
url pkg:apk/alpine/jenkins@2.281-r0?arch=aarch64&distroversion=v3.13&reponame=community
purl pkg:apk/alpine/jenkins@2.281-r0?arch=aarch64&distroversion=v3.13&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.281-r0%3Farch=aarch64&distroversion=v3.13&reponame=community
2
url pkg:apk/alpine/jenkins@2.281-r0?arch=armhf&distroversion=v3.13&reponame=community
purl pkg:apk/alpine/jenkins@2.281-r0?arch=armhf&distroversion=v3.13&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.281-r0%3Farch=armhf&distroversion=v3.13&reponame=community
3
url pkg:apk/alpine/jenkins@2.281-r0?arch=armv7&distroversion=v3.13&reponame=community
purl pkg:apk/alpine/jenkins@2.281-r0?arch=armv7&distroversion=v3.13&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.281-r0%3Farch=armv7&distroversion=v3.13&reponame=community
4
url pkg:apk/alpine/jenkins@2.281-r0?arch=mips64&distroversion=v3.13&reponame=community
purl pkg:apk/alpine/jenkins@2.281-r0?arch=mips64&distroversion=v3.13&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.281-r0%3Farch=mips64&distroversion=v3.13&reponame=community
5
url pkg:apk/alpine/jenkins@2.281-r0?arch=ppc64le&distroversion=v3.13&reponame=community
purl pkg:apk/alpine/jenkins@2.281-r0?arch=ppc64le&distroversion=v3.13&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.281-r0%3Farch=ppc64le&distroversion=v3.13&reponame=community
6
url pkg:apk/alpine/jenkins@2.281-r0?arch=s390x&distroversion=v3.13&reponame=community
purl pkg:apk/alpine/jenkins@2.281-r0?arch=s390x&distroversion=v3.13&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.281-r0%3Farch=s390x&distroversion=v3.13&reponame=community
7
url pkg:apk/alpine/jenkins@2.281-r0?arch=x86&distroversion=v3.13&reponame=community
purl pkg:apk/alpine/jenkins@2.281-r0?arch=x86&distroversion=v3.13&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.281-r0%3Farch=x86&distroversion=v3.13&reponame=community
8
url pkg:apk/alpine/jenkins@2.281-r0?arch=x86_64&distroversion=v3.13&reponame=community
purl pkg:apk/alpine/jenkins@2.281-r0?arch=x86_64&distroversion=v3.13&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.281-r0%3Farch=x86_64&distroversion=v3.13&reponame=community
9
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.3
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-evt5-t9pq-n7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.3
10
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.276
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.276
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.276
Affected_packages
0
url pkg:alpm/archlinux/jenkins@2.275-1
purl pkg:alpm/archlinux/jenkins@2.275-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-evt5-t9pq-n7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/jenkins@2.275-1
1
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.2
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25cp-rjk4-gfdb
1
vulnerability VCID-9zky-rdj1-pudy
2
vulnerability VCID-evt5-t9pq-n7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.2
2
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.3
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-evt5-t9pq-n7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.263.3
3
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.264
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.264
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25jg-8vxe-1feu
1
vulnerability VCID-3y23-krs1-yudh
2
vulnerability VCID-3ynh-xzxn-jkgy
3
vulnerability VCID-4y3h-rxbk-cua1
4
vulnerability VCID-5yuh-2e55-hfbt
5
vulnerability VCID-6rk7-hffm-nbau
6
vulnerability VCID-db62-2h4q-x7fv
7
vulnerability VCID-evt5-t9pq-n7a7
8
vulnerability VCID-rrnb-9h1s-vkef
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.264
4
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.275
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.275
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-evt5-t9pq-n7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.275
5
url pkg:rpm/redhat/conmon@2:2.0.21-1.rhaos4.5?arch=el7
purl pkg:rpm/redhat/conmon@2:2.0.21-1.rhaos4.5?arch=el7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25cp-rjk4-gfdb
1
vulnerability VCID-25jg-8vxe-1feu
2
vulnerability VCID-3y23-krs1-yudh
3
vulnerability VCID-3ynh-xzxn-jkgy
4
vulnerability VCID-4y3h-rxbk-cua1
5
vulnerability VCID-53z5-f3xj-z7bf
6
vulnerability VCID-5yuh-2e55-hfbt
7
vulnerability VCID-6rk7-hffm-nbau
8
vulnerability VCID-9zky-rdj1-pudy
9
vulnerability VCID-db62-2h4q-x7fv
10
vulnerability VCID-evt5-t9pq-n7a7
11
vulnerability VCID-rrnb-9h1s-vkef
12
vulnerability VCID-unby-h128-v3bk
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/conmon@2:2.0.21-1.rhaos4.5%3Farch=el7
6
url pkg:rpm/redhat/jenkins@2.263.3.1612434332-1?arch=el7
purl pkg:rpm/redhat/jenkins@2.263.3.1612434332-1?arch=el7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25cp-rjk4-gfdb
1
vulnerability VCID-25jg-8vxe-1feu
2
vulnerability VCID-3y23-krs1-yudh
3
vulnerability VCID-3ynh-xzxn-jkgy
4
vulnerability VCID-4y3h-rxbk-cua1
5
vulnerability VCID-53z5-f3xj-z7bf
6
vulnerability VCID-5yuh-2e55-hfbt
7
vulnerability VCID-6rk7-hffm-nbau
8
vulnerability VCID-9zky-rdj1-pudy
9
vulnerability VCID-db62-2h4q-x7fv
10
vulnerability VCID-evt5-t9pq-n7a7
11
vulnerability VCID-rrnb-9h1s-vkef
12
vulnerability VCID-unby-h128-v3bk
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.263.3.1612434332-1%3Farch=el7
7
url pkg:rpm/redhat/jenkins@2.263.3.1612434510-1?arch=el8
purl pkg:rpm/redhat/jenkins@2.263.3.1612434510-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25cp-rjk4-gfdb
1
vulnerability VCID-25jg-8vxe-1feu
2
vulnerability VCID-3y23-krs1-yudh
3
vulnerability VCID-3ynh-xzxn-jkgy
4
vulnerability VCID-4y3h-rxbk-cua1
5
vulnerability VCID-53z5-f3xj-z7bf
6
vulnerability VCID-5yuh-2e55-hfbt
7
vulnerability VCID-6rk7-hffm-nbau
8
vulnerability VCID-9zky-rdj1-pudy
9
vulnerability VCID-db62-2h4q-x7fv
10
vulnerability VCID-evt5-t9pq-n7a7
11
vulnerability VCID-rrnb-9h1s-vkef
12
vulnerability VCID-unby-h128-v3bk
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.263.3.1612434510-1%3Farch=el8
8
url pkg:rpm/redhat/machine-config-daemon@4.5.0-202102050524.p0.git.2594.ff3b8c0?arch=el8
purl pkg:rpm/redhat/machine-config-daemon@4.5.0-202102050524.p0.git.2594.ff3b8c0?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25cp-rjk4-gfdb
1
vulnerability VCID-25jg-8vxe-1feu
2
vulnerability VCID-3y23-krs1-yudh
3
vulnerability VCID-3ynh-xzxn-jkgy
4
vulnerability VCID-4y3h-rxbk-cua1
5
vulnerability VCID-53z5-f3xj-z7bf
6
vulnerability VCID-5yuh-2e55-hfbt
7
vulnerability VCID-6rk7-hffm-nbau
8
vulnerability VCID-9zky-rdj1-pudy
9
vulnerability VCID-db62-2h4q-x7fv
10
vulnerability VCID-evt5-t9pq-n7a7
11
vulnerability VCID-rrnb-9h1s-vkef
12
vulnerability VCID-unby-h128-v3bk
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/machine-config-daemon@4.5.0-202102050524.p0.git.2594.ff3b8c0%3Farch=el8
9
url pkg:rpm/redhat/openshift@4.5.0-202102050524.p0.git.0.9229406?arch=el7
purl pkg:rpm/redhat/openshift@4.5.0-202102050524.p0.git.0.9229406?arch=el7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25cp-rjk4-gfdb
1
vulnerability VCID-25jg-8vxe-1feu
2
vulnerability VCID-3y23-krs1-yudh
3
vulnerability VCID-3ynh-xzxn-jkgy
4
vulnerability VCID-4y3h-rxbk-cua1
5
vulnerability VCID-53z5-f3xj-z7bf
6
vulnerability VCID-5yuh-2e55-hfbt
7
vulnerability VCID-6rk7-hffm-nbau
8
vulnerability VCID-9zky-rdj1-pudy
9
vulnerability VCID-db62-2h4q-x7fv
10
vulnerability VCID-evt5-t9pq-n7a7
11
vulnerability VCID-rrnb-9h1s-vkef
12
vulnerability VCID-unby-h128-v3bk
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/openshift@4.5.0-202102050524.p0.git.0.9229406%3Farch=el7
10
url pkg:rpm/redhat/openshift-ansible@4.5.0-202102031005.p0.git.0.c6839a2?arch=el7
purl pkg:rpm/redhat/openshift-ansible@4.5.0-202102031005.p0.git.0.c6839a2?arch=el7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25cp-rjk4-gfdb
1
vulnerability VCID-25jg-8vxe-1feu
2
vulnerability VCID-3y23-krs1-yudh
3
vulnerability VCID-3ynh-xzxn-jkgy
4
vulnerability VCID-4y3h-rxbk-cua1
5
vulnerability VCID-53z5-f3xj-z7bf
6
vulnerability VCID-5yuh-2e55-hfbt
7
vulnerability VCID-6rk7-hffm-nbau
8
vulnerability VCID-9zky-rdj1-pudy
9
vulnerability VCID-db62-2h4q-x7fv
10
vulnerability VCID-evt5-t9pq-n7a7
11
vulnerability VCID-rrnb-9h1s-vkef
12
vulnerability VCID-unby-h128-v3bk
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/openshift-ansible@4.5.0-202102031005.p0.git.0.c6839a2%3Farch=el7
11
url pkg:rpm/redhat/openshift-clients@4.5.0-202102051529.p0.git.3612.61b096a?arch=el7
purl pkg:rpm/redhat/openshift-clients@4.5.0-202102051529.p0.git.3612.61b096a?arch=el7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25cp-rjk4-gfdb
1
vulnerability VCID-25jg-8vxe-1feu
2
vulnerability VCID-3y23-krs1-yudh
3
vulnerability VCID-3ynh-xzxn-jkgy
4
vulnerability VCID-4y3h-rxbk-cua1
5
vulnerability VCID-53z5-f3xj-z7bf
6
vulnerability VCID-5yuh-2e55-hfbt
7
vulnerability VCID-6rk7-hffm-nbau
8
vulnerability VCID-9zky-rdj1-pudy
9
vulnerability VCID-db62-2h4q-x7fv
10
vulnerability VCID-evt5-t9pq-n7a7
11
vulnerability VCID-rrnb-9h1s-vkef
12
vulnerability VCID-unby-h128-v3bk
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/openshift-clients@4.5.0-202102051529.p0.git.3612.61b096a%3Farch=el7
12
url pkg:rpm/redhat/runc@1.0.0-72.rhaos4.5.giteadfc6b?arch=el8
purl pkg:rpm/redhat/runc@1.0.0-72.rhaos4.5.giteadfc6b?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25cp-rjk4-gfdb
1
vulnerability VCID-25jg-8vxe-1feu
2
vulnerability VCID-3y23-krs1-yudh
3
vulnerability VCID-3ynh-xzxn-jkgy
4
vulnerability VCID-4y3h-rxbk-cua1
5
vulnerability VCID-53z5-f3xj-z7bf
6
vulnerability VCID-5yuh-2e55-hfbt
7
vulnerability VCID-6rk7-hffm-nbau
8
vulnerability VCID-9zky-rdj1-pudy
9
vulnerability VCID-db62-2h4q-x7fv
10
vulnerability VCID-evt5-t9pq-n7a7
11
vulnerability VCID-rrnb-9h1s-vkef
12
vulnerability VCID-unby-h128-v3bk
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/runc@1.0.0-72.rhaos4.5.giteadfc6b%3Farch=el8
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21615.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21615.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21615
reference_id
reference_type
scores
0
value 0.00436
scoring_system epss
scoring_elements 0.63048
published_at 2026-04-18T12:55:00Z
1
value 0.00436
scoring_system epss
scoring_elements 0.6299
published_at 2026-04-04T12:55:00Z
2
value 0.00436
scoring_system epss
scoring_elements 0.62954
published_at 2026-04-07T12:55:00Z
3
value 0.00436
scoring_system epss
scoring_elements 0.63006
published_at 2026-04-08T12:55:00Z
4
value 0.00436
scoring_system epss
scoring_elements 0.63022
published_at 2026-04-09T12:55:00Z
5
value 0.00436
scoring_system epss
scoring_elements 0.63039
published_at 2026-04-11T12:55:00Z
6
value 0.00436
scoring_system epss
scoring_elements 0.63025
published_at 2026-04-12T12:55:00Z
7
value 0.00436
scoring_system epss
scoring_elements 0.63003
published_at 2026-04-13T12:55:00Z
8
value 0.00436
scoring_system epss
scoring_elements 0.6304
published_at 2026-04-16T12:55:00Z
9
value 0.00436
scoring_system epss
scoring_elements 0.62902
published_at 2026-04-01T12:55:00Z
10
value 0.00436
scoring_system epss
scoring_elements 0.62961
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21615
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21615
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21615
3
reference_url https://www.jenkins.io/security/advisory/2021-01-26/#SECURITY-2197
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.jenkins.io/security/advisory/2021-01-26/#SECURITY-2197
4
reference_url http://www.openwall.com/lists/oss-security/2021/01/26/2
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/01/26/2
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1921322
reference_id 1921322
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1921322
6
reference_url https://security.archlinux.org/AVG-1491
reference_id AVG-1491
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1491
7
reference_url https://github.com/advisories/GHSA-qxp6-27gw-99cj
reference_id GHSA-qxp6-27gw-99cj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qxp6-27gw-99cj
8
reference_url https://access.redhat.com/errata/RHSA-2021:0423
reference_id RHSA-2021:0423
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0423
9
reference_url https://access.redhat.com/errata/RHSA-2021:0429
reference_id RHSA-2021:0429
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0429
Weaknesses
0
cwe_id 367
name Time-of-check Time-of-use (TOCTOU) Race Condition
description The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
1
cwe_id 22
name Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
description The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
3
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-evt5-t9pq-n7a7