Search for packages
| purl | pkg:maven/org.jenkins-ci.main/jenkins-core@2.319 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1kf2-8j67-7kg3 | Improper Link Resolution Before File Access ('Link Following') File path filters in the agent-to-controller security subsystem of Jenkins do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. |
CVE-2021-21686
GHSA-4g38-hrm4-rg94 |
| VCID-53km-desw-w7d6 | Protection Mechanism Failure Jenkins does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process. |
CVE-2021-21696
GHSA-c5r9-rx53-q3gf |
| VCID-7w87-bm8n-bbbr | Missing Authorization The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo). |
CVE-2021-21688
GHSA-m9hr-259f-2v23 |
| VCID-b4zg-38x9-23dn | Missing Authorization Jenkins does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar. |
CVE-2021-21687
GHSA-3q84-vrvx-rfvf |
| VCID-fvza-3rhj-8kbp | Protection Mechanism Failure Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins. |
CVE-2021-21690
GHSA-97c3-w9cr-6qc2 |
| VCID-h3nf-gwsr-5qf3 | Missing Authorization File operations do not check any permissions in Jenkins. |
CVE-2021-21694
GHSA-pgj6-jmj5-wqfx |
| VCID-kf3a-yce1-auh4 | Incorrect Authorization Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins. |
CVE-2021-21691
GHSA-2c79-h2h5-g3fw |
| VCID-nq1x-s9hz-a7fb | Missing Authorization FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins. |
CVE-2021-21695
GHSA-cvvm-4cr9-r436 |
| VCID-r3ry-745m-zuh1 | Missing Authorization FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins. |
CVE-2021-21689
GHSA-j3cq-h6vh-gx7f |
| VCID-r3v1-qkky-dqcq | Missing Authorization Jenkins does not check agent-to-controller access to create parent directories in FilePath#mkdirs. |
CVE-2021-21685
GHSA-58xm-mxjf-254g |
| VCID-remx-jas5-1bfm | Incorrect Authorization FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins only check 'read' agent-to-controller access permission on the source path, instead of 'delete'. |
CVE-2021-21692
GHSA-8xg4-xq2v-v6j7 |
| VCID-wuvf-kdtu-tkc2 | Improper Authorization When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins. |
CVE-2021-21693
GHSA-929w-q433-4h9x |
| VCID-zgtd-8mf6-ruc9 | Incomplete List of Disallowed Inputs Jenkins allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. |
CVE-2021-21697
GHSA-cv2w-q8c3-xjv7 |