oss-sec mailing list archives
Vulnerability in Jenkins
From: Daniel Beck <ml () beckweb net>
Date: Tue, 26 Jan 2021 11:46:34 +0100
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * Jenkins 2.276 * Jenkins LTS 2.263.3 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://www.jenkins.io/security/advisory/2021-01-26/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://www.jenkins.io/security/#reporting-vulnerabilities --- SECURITY-2197 / CVE-2021-21615 Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and `$JENKINS_HOME/userContent/` follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2. This allows attackers with Job/Workspace permission and the ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM contents, to create symbolic links that allow them to access files outside workspaces using the workspace browser.
Current thread:
- Vulnerability in Jenkins Daniel Beck (Jan 26)
- <Possible follow-ups>
- Vulnerability in Jenkins Daniel Beck (Feb 19)