CVE-2021-21683
Path traversal vulnerability on Windows in Jenkins
6.5
MEDIUM
CVSS 3.1
EPSS 1.7%
Description
The file browser for workspaces, archived artifacts, and `userContent/` in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows. This results in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.\n\nThe file browser in Jenkins 2.315, LTS 2.303.2 refuses to serve files that would be considered absolute paths.
How to fix CVE-2021-21683
To remediate CVE-2021-21683, upgrade the affected package to a fixed version below.
- —upgrade to 2.314.1 or later
- —upgrade to 2.303.2 or later
Is CVE-2021-21683 being exploited?
Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.314.1
- from 0, < 2.303.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |