Vulnerability in Jenkins

[Daniel Beck <ml () beckweb net>]

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.276
* Jenkins LTS 2.263.3


Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2021-01-26/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2197 / CVE-2021-21615
Due to a time-of-check to time-of-use (TOCTOU) race condition, the file
browser for workspaces, archived artifacts, and
`$JENKINS_HOME/userContent/` follows symbolic links to locations outside
the directory being browsed in Jenkins 2.275 and LTS 2.263.2.

This allows attackers with Job/Workspace permission and the ability to
control workspace contents, e.g., with Job/Configure permission or the
ability to change SCM contents, to create symbolic links that allow them to
access files outside workspaces using the workspace browser.