CVE-2021-21605

Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated `config.xml` files. If the global `config.xml` file is replaced, Jenkins will start up with unsafe legacy defaults after a restart. Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem. In case of problems, this change can be reverted by setting the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `jenkins.model.Nodes.enforceNameRestrictions` to `false`.

How to fix CVE-2021-21605

To remediate CVE-2021-21605, upgrade the affected package to a fixed version below.

• —upgrade to 2.274.1 or later
• —upgrade to 2.263.2 or later

Is CVE-2021-21605 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2.274.1
• from 0, < 2.263.2

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21605
• PATCHgithub.com/jenkinsci/jenkins
• WEBgithub.com/jenkinsci/jenkins/commit/b19b34db4b24b163d4edc53ccb84f41a3589cb08
• WEBwww.jenkins.io/security/advisory/2021-01-13/#SECURITY-2021