Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 767352 (CVE-2021-21615) - <dev-util/jenkins-bin-{2.263.3,2.277}: filesystem traversal by privileged users (CVE-2021-21615)
Summary: <dev-util/jenkins-bin-{2.263.3,2.277}: filesystem traversal by privileged use...
Status: RESOLVED FIXED
Alias: CVE-2021-21615
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.jenkins.io/security/advis...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2021-21602, CVE-2021-21603, CVE-2021-21604, CVE-2021-21605, CVE-2021-21606, CVE-2021-21607, CVE-2021-21608, CVE-2021-21609, CVE-2021-21610, CVE-2021-21611, CVE-2021-21612, CVE-2021-21613, CVE-2021-21614
  Show dependency tree
 
Reported: 2021-01-26 19:44 UTC by John Helmert III
Modified: 2021-01-30 16:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-26 19:44:11 UTC 
CVE-2021-21615:

Due to a time-of-check to time-of-use (TOCTOU) race condition, the file
browser for workspaces, archived artifacts, and
`$JENKINS_HOME/userContent/` follows symbolic links to locations outside
the directory being browsed in Jenkins 2.275 and LTS 2.263.2.

This allows attackers with Job/Workspace permission and the ability to
control workspace contents, e.g., with Job/Configure permission or the
ability to change SCM contents, to create symbolic links that allow them to
access files outside workspaces using the workspace browser.


Fixed in 2.276 and 2.263.3. Please bump.
Comment 1 Hans de Graaff gentoo-dev Security 2021-01-28 06:02:55 UTC 
Interestingly enough this security issue was not listed for 2.263.3 initially when that was added 2 days ago.

In any case 2.277 now also added.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-28 15:37:17 UTC 
(In reply to Hans de Graaff from comment #1)
> Interestingly enough this security issue was not listed for 2.263.3
> initially when that was added 2 days ago.
> 
> In any case 2.277 now also added.

Please cleanup, thanks!
Comment 3 Hans de Graaff gentoo-dev Security 2021-01-30 07:15:22 UTC 
Cleanup done.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-30 16:13:50 UTC 
Thanks! All done!