logo

Database

Lack of data validation - Path Traversal In org.jenkins-ci.main:jenkins-core

Description

Path traversal vulnerability on Windows in Jenkins The file browser for workspaces, archived artifacts, and userContent/ in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows.

This results in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.\n\nThe file browser in Jenkins 2.315, LTS 2.303.2 refuses to serve files that would be considered absolute paths.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2021-216832. NVD-2021-216833. OSV-2021-216834. GCVE-2021-21683

References

1. https://github.com/jenkinsci/jenkins/commit/3f679fc12d073676a4441d3fa8b5fff34c07662f2. https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-24813. http://www.openwall.com/lists/oss-security/2021/10/06/1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.