CVE-2021-21698 – org.jenkins-ci.plugins:subversion

Package

Manager: maven
Name: org.jenkins-ci.plugins:subversion
Vulnerable Version: >=0 <2.15.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00972 pctl0.75757

Details

Path traversal vulnerability in Jenkins Subversion Plugin allows reading arbitrary files Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent. This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. Subversion Plugin 2.15.1 checks for the presence of and prohibits directory separator characters as part of the file name, restricting it to the intended directory.

Metadata

Created: 2022-05-24T19:19:43Z
Modified: 2022-12-16T22:58:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q58j-fhj7-j6fg/GHSA-q58j-fhj7-j6fg.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-q58j-fhj7-j6fg
Finding: F063
Auto approve: 1