Bug 767352 (CVE-2021-21615)

Summary:	<dev-util/jenkins-bin-{2.263.3,2.277}: filesystem traversal by privileged users (CVE-2021-21615)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	graaff, patrick
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.jenkins.io/security/advisory/2021-01-26/
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	765217

Description John Helmert III archtester

2021-01-26 19:44:11 UTC

CVE-2021-21615:

Due to a time-of-check to time-of-use (TOCTOU) race condition, the file
browser for workspaces, archived artifacts, and
`$JENKINS_HOME/userContent/` follows symbolic links to locations outside
the directory being browsed in Jenkins 2.275 and LTS 2.263.2.

This allows attackers with Job/Workspace permission and the ability to
control workspace contents, e.g., with Job/Configure permission or the
ability to change SCM contents, to create symbolic links that allow them to
access files outside workspaces using the workspace browser.


Fixed in 2.276 and 2.263.3. Please bump.

Comment 1 Hans de Graaff gentoo-dev

2021-01-28 06:02:55 UTC

Interestingly enough this security issue was not listed for 2.263.3 initially when that was added 2 days ago.

In any case 2.277 now also added.

Comment 2 John Helmert III archtester

2021-01-28 15:37:17 UTC

(In reply to Hans de Graaff from comment #1)
> Interestingly enough this security issue was not listed for 2.263.3
> initially when that was added 2 days ago.
> 
> In any case 2.277 now also added.

Please cleanup, thanks!

Comment 3 Hans de Graaff gentoo-dev

2021-01-30 07:15:22 UTC

Cleanup done.

Comment 4 John Helmert III archtester

2021-01-30 16:13:50 UTC

Thanks! All done!