Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-remx-jas5-1bfm
Vulnerability ID VCID-remx-jas5-1bfm
Aliases CVE-2021-21692
GHSA-8xg4-xq2v-v6j7
Summary Incorrect Authorization FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-863 Incorrect Authorization
CWE-276 Incorrect Default Permissions
System Score Found at
cvssv3 9.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21692.json
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
epss 0.00647 https://api.first.org/data/v1/epss?cve=CVE-2021-21692
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-8xg4-xq2v-v6j7
cvssv3.1 9.0 https://github.com/jenkinsci/jenkins
generic_textual CRITICAL https://github.com/jenkinsci/jenkins
cvssv3.1 9.0 https://github.com/jenkinsci/jenkins/commit/104c751d907919dd53f5090f84d53c671a66457b
generic_textual CRITICAL https://github.com/jenkinsci/jenkins/commit/104c751d907919dd53f5090f84d53c671a66457b
cvssv3.1 9.0 https://github.com/jenkinsci/jenkins/commit/5a245e42979abe4a26d41727c839521e36cedd74
generic_textual CRITICAL https://github.com/jenkinsci/jenkins/commit/5a245e42979abe4a26d41727c839521e36cedd74
cvssv3.1 9.0 https://github.com/jenkinsci/jenkins/commit/63cde2daadc705edf086f2213b48c8c547f98358
generic_textual CRITICAL https://github.com/jenkinsci/jenkins/commit/63cde2daadc705edf086f2213b48c8c547f98358
cvssv3.1 9.0 https://nvd.nist.gov/vuln/detail/CVE-2021-21692
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2021-21692
archlinux Critical https://security.archlinux.org/AVG-2526
cvssv3.1 9.0 https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455
generic_textual CRITICAL https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21692.json
https://api.first.org/data/v1/epss?cve=CVE-2021-21692
https://github.com/jenkinsci/jenkins
https://github.com/jenkinsci/jenkins/commit/104c751d907919dd53f5090f84d53c671a66457b
https://github.com/jenkinsci/jenkins/commit/5a245e42979abe4a26d41727c839521e36cedd74
https://github.com/jenkinsci/jenkins/commit/63cde2daadc705edf086f2213b48c8c547f98358
https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455
2020339 https://bugzilla.redhat.com/show_bug.cgi?id=2020339
ASA-202111-1 https://security.archlinux.org/ASA-202111-1
AVG-2526 https://security.archlinux.org/AVG-2526
CVE-2021-21692 https://nvd.nist.gov/vuln/detail/CVE-2021-21692
GHSA-8xg4-xq2v-v6j7 https://github.com/advisories/GHSA-8xg4-xq2v-v6j7
RHSA-2021:4799 https://access.redhat.com/errata/RHSA-2021:4799
RHSA-2021:4801 https://access.redhat.com/errata/RHSA-2021:4801
RHSA-2021:4827 https://access.redhat.com/errata/RHSA-2021:4827
RHSA-2021:4829 https://access.redhat.com/errata/RHSA-2021:4829
RHSA-2021:4833 https://access.redhat.com/errata/RHSA-2021:4833
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21692.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/jenkinsci/jenkins
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/jenkinsci/jenkins/commit/104c751d907919dd53f5090f84d53c671a66457b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/jenkinsci/jenkins/commit/5a245e42979abe4a26d41727c839521e36cedd74
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/jenkinsci/jenkins/commit/63cde2daadc705edf086f2213b48c8c547f98358
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-21692
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.70687
EPSS Score 0.00647
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:49:00.007433+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.main/jenkins-core/CVE-2021-21692.yml 38.0.0