CVE-2021-21602

Description

The file browser for workspaces, archived artifacts, and `$JENKINS_HOME/userContent/` follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier. This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser. This issue is caused by an incomplete fix for SECURITY-904 / CVE-2018-1000862 in the [2018-12-08 security advisory](https://www.jenkins.io/security/advisory/2018-12-05/#SECURITY-904). Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads. This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.

How to fix CVE-2021-21602

To remediate CVE-2021-21602, upgrade the affected package to a fixed version below.

• —upgrade to 2.274.1 or later
• —upgrade to 2.263.2 or later

Is CVE-2021-21602 being exploited?

Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2.274.1
• from 0, < 2.263.2

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21602
• PATCHgithub.com/jenkinsci/jenkins
• WEBgithub.com/jenkinsci/jenkins/commit/71d2ecf1a4e5303e80815eaa3935c4f2fa3d9104
• WEBwww.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452