DATABASE RESOURCES PRICING ABOUT US

{"id": "GHSA-2C79-H2H5-G3FW", "vendorId": null, "type": "github", "bulletinFamily": "software", "title": "Incorrect Authorization in Jenkins", "description": "Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", "published": "2022-05-24T19:19:44", "modified": "2022-06-23T06:48:07", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://github.com/advisories/GHSA-2c79-h2h5-g3fw", "reporter": "GitHub Advisory Database", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2021-21691", "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "https://github.com/advisories/GHSA-2c79-h2h5-g3fw"], "cvelist": ["CVE-2021-21691"], "immutableFields": [], "lastseen": "2022-06-23T07:57:07", "viewCount": 0, "enchantments": {"vulnersScore": "PENDING"}, "_state": {}, "_internal": {}, "affectedSoftware": [{"version": "2.304", "operator": "ge", "ecosystem": "MAVEN", "name": "org.jenkins-ci.main:jenkins-core"}, {"version": "2.318", "operator": "le", "ecosystem": "MAVEN", "name": "org.jenkins-ci.main:jenkins-core"}, {"version": "2.303.2", "operator": "lt", "ecosystem": "MAVEN", "name": "org.jenkins-ci.main:jenkins-core"}]}

{"osv": [{"lastseen": "2022-06-23T08:01:58", "description": "Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-24T19:19:44", "type": "osv", "title": "Incorrect Authorization in Jenkins", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21691"], "modified": "2022-06-23T07:10:54", "id": "OSV:GHSA-2C79-H2H5-G3FW", "href": "https://osv.dev/vulnerability/GHSA-2c79-h2h5-g3fw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-05-12T00:12:40", "description": "jenkins is vulnerable to privilege escalation. An attacker can create symbolic links without a `symlink` permission \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-04T00:41:10", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21691"], "modified": "2022-04-19T18:44:42", "id": "VERACODE:33174", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-33174/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "alpinelinux": [{"lastseen": "2021-12-08T08:39:25", "description": "Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-04T17:15:00", "type": "alpinelinux", "title": "CVE-2021-21691", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21691"], "modified": "2021-11-09T19:35:00", "id": "ALPINE:CVE-2021-21691", "href": "https://security.alpinelinux.org/vuln/CVE-2021-21691", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T13:48:19", "description": "Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-04T17:15:00", "type": "cve", "title": "CVE-2021-21691", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21691"], "modified": "2021-11-09T19:35:00", "cpe": [], "id": "CVE-2021-21691", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21691", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "redhatcve": [{"lastseen": "2022-06-25T11:02:08", "description": "A vulnerability was found in Jenkins which failed to correctly validate permissions. This flaw allowed any user to create symbolic links regardless if they had the symlink permission. It may allow an attacker to read and write to arbitrary files on the Jenkins controller file system.\n#### Mitigation\n\nRed Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-04T16:53:38", "type": "redhatcve", "title": "CVE-2021-21691", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21691"], "modified": "2022-06-25T09:23:04", "id": "RH:CVE-2021-21691", "href": "https://access.redhat.com/security/cve/cve-2021-21691", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-11-27T06:39:10", "description": "Arch Linux Security Advisory ASA-202111-1\n=========================================\n\nSeverity: Critical\nDate : 2021-11-05\nCVE-ID : CVE-2021-21685 CVE-2021-21686 CVE-2021-21687 CVE-2021-21688\nCVE-2021-21689 CVE-2021-21690 CVE-2021-21691 CVE-2021-21692\nCVE-2021-21693 CVE-2021-21694 CVE-2021-21695 CVE-2021-21696\nCVE-2021-21697\nPackage : jenkins\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-2526\n\nSummary\n=======\n\nThe package jenkins before version 2.319-1 is vulnerable to multiple\nissues including arbitrary filesystem access and sandbox escape.\n\nResolution\n==========\n\nUpgrade to 2.319-1.\n\n# pacman -Syu \"jenkins>=2.319-1\"\n\nThe problems have been fixed upstream in version 2.319.\n\nWorkaround\n==========\n\nIf you are unable to immediately upgrade to Jenkins 2.319 right away,\nyou can install the Remoting Security Workaround Plugin. It will\nprevent all agent-to-controller file access using FilePath APIs.\nBecause it is more restrictive than Jenkins 2.319, more plugins are\nincompatible with it. Make sure to read the plugin documentation before\ninstalling it.\n\nDescription\n===========\n\n- CVE-2021-21685 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319.\nFilePath#mkdirs does not check permission to create parent directories.\nThis allows agent processes to read and write arbitrary files on the\nJenkins controller file system, and obtain some information about\nJenkins controller file systems.\n\n- CVE-2021-21686 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319. File\npath filters do not canonicalize paths, allowing operations to follow\nsymbolic links to outside allowed directories. This allows agent\nprocesses to read and write arbitrary files on the Jenkins controller\nfile system, and obtain some information about Jenkins controller file\nsystems.\n\n- CVE-2021-21687 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319.\nFilePath#untar does not check permission to create symbolic links when\nunarchiving a symbolic link. This allows agent processes to read and\nwrite arbitrary files on the Jenkins controller file system, and obtain\nsome information about Jenkins controller file systems.\n\n- CVE-2021-21688 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319.\nFilePath#reading(FileVisitor) does not reject any operations, allowing\nusers to have unrestricted read access using certain operations\n(creating archives, #copyRecursiveTo). This allows agent processes to\nread and write arbitrary files on the Jenkins controller file system,\nand obtain some information about Jenkins controller file systems.\n\n- CVE-2021-21689 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319.\nFilePath#unzip and FilePath#untar were not subject to any access\ncontrol. This allows agent processes to read and write arbitrary files\non the Jenkins controller file system, and obtain some information\nabout Jenkins controller file systems.\n\n- CVE-2021-21690 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319. Agent\nprocesses are able to completely bypass file path filtering by wrapping\nthe file operation in an agent file path. This allows agent processes\nto read and write arbitrary files on the Jenkins controller file\nsystem, and obtain some information about Jenkins controller file\nsystems.\n\n- CVE-2021-21691 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319.\nCreating symbolic links is possible without the symlink permission.\nThis allows agent processes to read and write arbitrary files on the\nJenkins controller file system, and obtain some information about\nJenkins controller file systems.\n\n- CVE-2021-21692 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319. The\noperations FilePath#renameTo and FilePath#moveAllChildrenTo only check\nread permission on the source path. This allows agent processes to read\nand write arbitrary files on the Jenkins controller file system, and\nobtain some information about Jenkins controller file systems.\n\n- CVE-2021-21693 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319. When\ncreating temporary files, permission to create files is only checked\nafter they\u2019ve been created. This allows agent processes to read and\nwrite arbitrary files on the Jenkins controller file system, and obtain\nsome information about Jenkins controller file systems.\n\n- CVE-2021-21694 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319.\nFilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,\nFilePath#isDescendant, and FilePath#get*DiskSpace do not check any\npermissions. This allows agent processes to read and write arbitrary\nfiles on the Jenkins controller file system, and obtain some\ninformation about Jenkins controller file systems.\n\n- CVE-2021-21695 (arbitrary filesystem access)\n\nA security issue has been found in Jenkins before version 2.319.\nFilePath#listFiles lists files outside directories with agent read\naccess when following symbolic links. This allows agent processes to\nread and write arbitrary files on the Jenkins controller file system,\nand obtain some information about Jenkins controller file systems.\n\n- CVE-2021-21696 (sandbox escape)\n\nJenkins before version 2.319 does not limit agent read/write access to\nthe libs/ directory inside build directories when using the FilePath\nAPIs. This directory is used by the \"Pipeline: Shared Groovy Libraries\"\nPlugin to store copies of shared libraries.\n\nThis allows attackers in control of agent processes to replace the code\nof a trusted library with a modified variant, resulting in unsandboxed\ncode execution in the Jenkins controller process.\n\nJenkins 2.319 prohibits agent read/write access to the libs/ directory\ninside build directories.\n\n- CVE-2021-21697 (arbitrary filesystem access)\n\nAgents are allowed some limited access to files on the Jenkins\ncontroller file system. The directories agents are allowed to access in\nJenkins before 2.319 include the directories storing build-related\ninformation, intended to allow agents to store build-related metadata\nduring build execution. As a consequence, this allows any agent to read\nand write the contents of any build directory stored in Jenkins with\nvery few restrictions (build.xml and some Pipeline-related metadata).\n\nJenkins 2.319 prevents agents from accessing contents of build\ndirectories unless it\u2019s for builds currently running on the agent\nattempting to access the directory.\n\nImpact\n======\n\nAgent processes could read and write arbitrary files on the Jenkins\ncontroller file system, and obtain some information about Jenkins\ncontroller file systems.\n\nReferences\n==========\n\nhttps://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455\nhttps://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423\nhttps://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428\nhttps://security.archlinux.org/CVE-2021-21685\nhttps://security.archlinux.org/CVE-2021-21686\nhttps://security.archlinux.org/CVE-2021-21687\nhttps://security.archlinux.org/CVE-2021-21688\nhttps://security.archlinux.org/CVE-2021-21689\nhttps://security.archlinux.org/CVE-2021-21690\nhttps://security.archlinux.org/CVE-2021-21691\nhttps://security.archlinux.org/CVE-2021-21692\nhttps://security.archlinux.org/CVE-2021-21693\nhttps://security.archlinux.org/CVE-2021-21694\nhttps://security.archlinux.org/CVE-2021-21695\nhttps://security.archlinux.org/CVE-2021-21696\nhttps://security.archlinux.org/CVE-2021-21697", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-05T00:00:00", "type": "archlinux", "title": "[ASA-202111-1] jenkins: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697"], "modified": "2021-11-05T00:00:00", "id": "ASA-202111-1", "href": "https://security.archlinux.org/ASA-202111-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-04-08T01:38:46", "description": "The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.277.x prior to 2.277.43.0.2, or 2.x prior to 2.303.3.3. It is, therefore, affected by multiple vulnerabilities, including the following:\n\n - Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21690)\n\n - Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21691)\n\n - FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.\n (CVE-2021-21692)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-19T00:00:00", "type": "nessus", "title": "Jenkins Enterprise and Operations Center < 2.277.43.0.2 / 2.303.3.3 Multiple Vulnerabilities (CloudBees Security Advisory 2021-11-04)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/a:cloudbees:jenkins"], "id": "CLOUDBEES_SECURITY_ADVISORY_2021-11-04.NASL", "href": "https://www.tenable.com/plugins/nessus/155631", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155631);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-21685\",\n \"CVE-2021-21686\",\n \"CVE-2021-21687\",\n \"CVE-2021-21688\",\n \"CVE-2021-21689\",\n \"CVE-2021-21690\",\n \"CVE-2021-21691\",\n \"CVE-2021-21692\",\n \"CVE-2021-21693\",\n \"CVE-2021-21694\",\n \"CVE-2021-21695\",\n \"CVE-2021-21696\",\n \"CVE-2021-21697\",\n \"CVE-2021-21698\"\n );\n\n script_name(english:\"Jenkins Enterprise and Operations Center < 2.277.43.0.2 / 2.303.3.3 Multiple Vulnerabilities (CloudBees Security Advisory 2021-11-04)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A job scheduling and management system hosted on the remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.277.x prior to\n2.277.43.0.2, or 2.x prior to 2.303.3.3. It is, therefore, affected by multiple vulnerabilities, including the\nfollowing:\n\n - Agent processes are able to completely bypass file path filtering by wrapping the file operation in an\n agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21690)\n\n - Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in\n Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21691)\n\n - FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier\n only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.\n (CVE-2021-21692)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cloudbees.com/cloudbees-security-advisory-2021-11-04\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Jenkins Enterprise or Jenkins Operations Center to version 2.277.43.0.2, 2.303.3.3, or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21696\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\", \"jenkins_win_installed.nbin\", \"jenkins_nix_installed.nbin\", \"macosx_jenkins_installed.nbin\");\n script_require_keys(\"installed_sw/Jenkins\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'Jenkins');\n\nvar constraints = [\n { 'min_version' : '2.277', 'fixed_version' : '2.277.43.0.2', 'edition' : make_list('Enterprise', 'Operations Center') },\n { 'min_version' : '2', 'fixed_version' : '2.303.3.3', 'edition' : make_list('Enterprise', 'Operations Center'), 'rolling_train' : TRUE },\n];\n\nvcf::jenkins::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-18T00:09:26", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4799 advisory.\n\n - jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n\n - jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)\n\n - jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n\n - jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n\n - jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n\n - jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)\n\n - jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n\n - jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n\n - jenkins: When creating temporary files, permission to create files is only checked after they've been created. (CVE-2021-21693)\n\n - jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n\n - jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n\n - jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline:\n Shared Groovy Libraries Plugin (CVE-2021-21696)\n\n - jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\n - jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-03T00:00:00", "type": "nessus", "title": "RHEL 8 : OpenShift Container Platform 4.6.51 packages and (RHSA-2021:4799)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2022-05-17T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:jenkins", "p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins"], "id": "REDHAT-RHSA-2021-4799.NASL", "href": "https://www.tenable.com/plugins/nessus/155831", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:4799. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155831);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/17\");\n\n script_cve_id(\n \"CVE-2021-21685\",\n \"CVE-2021-21686\",\n \"CVE-2021-21687\",\n \"CVE-2021-21688\",\n \"CVE-2021-21689\",\n \"CVE-2021-21690\",\n \"CVE-2021-21691\",\n \"CVE-2021-21692\",\n \"CVE-2021-21693\",\n \"CVE-2021-21694\",\n \"CVE-2021-21695\",\n \"CVE-2021-21696\",\n \"CVE-2021-21697\",\n \"CVE-2021-21698\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4799\");\n script_xref(name:\"IAVA\", value:\"2021-A-0551-S\");\n\n script_name(english:\"RHEL 8 : OpenShift Container Platform 4.6.51 packages and (RHSA-2021:4799)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:4799 advisory.\n\n - jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n\n - jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to\n outside allowed directories (CVE-2021-21686)\n\n - jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic\n link (CVE-2021-21687)\n\n - jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted\n read access (CVE-2021-21688)\n\n - jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n\n - jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation\n in an agent file path (CVE-2021-21690)\n\n - jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n\n - jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the\n source path (CVE-2021-21692)\n\n - jenkins: When creating temporary files, permission to create files is only checked after they've been\n created. (CVE-2021-21693)\n\n - jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and\n FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n\n - jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic\n links. (CVE-2021-21695)\n\n - jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline:\n Shared Groovy Libraries Plugin (CVE-2021-21696)\n\n - jenkins: Agent-to-controller access control allows reading/writing most content of build directories\n (CVE-2021-21697)\n\n - jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key\n (CVE-2021-21698)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/22.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/59.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/276.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/281.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/863.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21689\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21690\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21691\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21692\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21693\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21695\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21697\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21698\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4799\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020322\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020323\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020324\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020327\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020335\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020336\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020338\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020339\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020341\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020342\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020343\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020344\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020345\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020385\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected jenkins and / or jenkins-2-plugins packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21696\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(22, 59, 276, 281, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'openshift_4_6_el8': [\n 'rhocp-4.6-for-rhel-8-s390x-debug-rpms',\n 'rhocp-4.6-for-rhel-8-s390x-rpms',\n 'rhocp-4.6-for-rhel-8-s390x-source-rpms',\n 'rhocp-4.6-for-rhel-8-x86_64-debug-rpms',\n 'rhocp-4.6-for-rhel-8-x86_64-rpms',\n 'rhocp-4.6-for-rhel-8-x86_64-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'jenkins-2-plugins-4.6.1637602169-1.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift', 'repo_list':['openshift_4_6_el8']},\n {'reference':'jenkins-2.303.3.1637597493-1.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift', 'repo_list':['openshift_4_6_el8']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jenkins / jenkins-2-plugins');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-18T00:10:06", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4801 advisory.\n\n - jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n\n - jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)\n\n - jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n\n - jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n\n - jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n\n - jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)\n\n - jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n\n - jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n\n - jenkins: When creating temporary files, permission to create files is only checked after they've been created. (CVE-2021-21693)\n\n - jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n\n - jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n\n - jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline:\n Shared Groovy Libraries Plugin (CVE-2021-21696)\n\n - jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\n - jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-02T00:00:00", "type": "nessus", "title": "RHEL 8 : OpenShift Container Platform 4.7.38 (RHSA-2021:4801)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2022-05-17T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:jenkins", "p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins"], "id": "REDHAT-RHSA-2021-4801.NASL", "href": "https://www.tenable.com/plugins/nessus/155765", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:4801. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155765);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/17\");\n\n script_cve_id(\n \"CVE-2021-21685\",\n \"CVE-2021-21686\",\n \"CVE-2021-21687\",\n \"CVE-2021-21688\",\n \"CVE-2021-21689\",\n \"CVE-2021-21690\",\n \"CVE-2021-21691\",\n \"CVE-2021-21692\",\n \"CVE-2021-21693\",\n \"CVE-2021-21694\",\n \"CVE-2021-21695\",\n \"CVE-2021-21696\",\n \"CVE-2021-21697\",\n \"CVE-2021-21698\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4801\");\n script_xref(name:\"IAVA\", value:\"2021-A-0551-S\");\n\n script_name(english:\"RHEL 8 : OpenShift Container Platform 4.7.38 (RHSA-2021:4801)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:4801 advisory.\n\n - jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n\n - jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to\n outside allowed directories (CVE-2021-21686)\n\n - jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic\n link (CVE-2021-21687)\n\n - jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted\n read access (CVE-2021-21688)\n\n - jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n\n - jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation\n in an agent file path (CVE-2021-21690)\n\n - jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n\n - jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the\n source path (CVE-2021-21692)\n\n - jenkins: When creating temporary files, permission to create files is only checked after they've been\n created. (CVE-2021-21693)\n\n - jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and\n FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n\n - jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic\n links. (CVE-2021-21695)\n\n - jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline:\n Shared Groovy Libraries Plugin (CVE-2021-21696)\n\n - jenkins: Agent-to-controller access control allows reading/writing most content of build directories\n (CVE-2021-21697)\n\n - jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key\n (CVE-2021-21698)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/22.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/59.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/276.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/281.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/863.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21689\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21690\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21691\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21692\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21693\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21695\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21697\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21698\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4801\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020322\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020323\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020324\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020327\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020335\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020336\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020338\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020339\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020341\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020342\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020343\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020344\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020345\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020385\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected jenkins and / or jenkins-2-plugins packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21696\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(22, 59, 276, 281, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'openshift_4_7_el8': [\n 'rhocp-4.7-for-rhel-8-s390x-debug-rpms',\n 'rhocp-4.7-for-rhel-8-s390x-rpms',\n 'rhocp-4.7-for-rhel-8-s390x-source-rpms',\n 'rhocp-4.7-for-rhel-8-x86_64-debug-rpms',\n 'rhocp-4.7-for-rhel-8-x86_64-rpms',\n 'rhocp-4.7-for-rhel-8-x86_64-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'jenkins-2-plugins-4.7.1637600997-1.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift', 'repo_list':['openshift_4_7_el8']},\n {'reference':'jenkins-2.303.3.1637597018-1.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift', 'repo_list':['openshift_4_7_el8']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jenkins / jenkins-2-plugins');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-21T12:06:22", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4827 advisory.\n\n - jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n\n - jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)\n\n - jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n\n - jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n\n - jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n\n - jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)\n\n - jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n\n - jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n\n - jenkins: When creating temporary files, permission to create files is only checked after they've been created. (CVE-2021-21693)\n\n - jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n\n - jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n\n - jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline:\n Shared Groovy Libraries Plugin (CVE-2021-21696)\n\n - jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\n - jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-04T00:00:00", "type": "nessus", "title": "RHEL 7 : OpenShift Container Platform 3.11.569 (RHSA-2021:4827)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2022-01-20T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:jenkins", "p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins"], "id": "REDHAT-RHSA-2021-4827.NASL", "href": "https://www.tenable.com/plugins/nessus/155858", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:4827. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155858);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\n \"CVE-2021-21685\",\n \"CVE-2021-21686\",\n \"CVE-2021-21687\",\n \"CVE-2021-21688\",\n \"CVE-2021-21689\",\n \"CVE-2021-21690\",\n \"CVE-2021-21691\",\n \"CVE-2021-21692\",\n \"CVE-2021-21693\",\n \"CVE-2021-21694\",\n \"CVE-2021-21695\",\n \"CVE-2021-21696\",\n \"CVE-2021-21697\",\n \"CVE-2021-21698\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4827\");\n script_xref(name:\"IAVA\", value:\"2021-A-0551-S\");\n\n script_name(english:\"RHEL 7 : OpenShift Container Platform 3.11.569 (RHSA-2021:4827)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:4827 advisory.\n\n - jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n\n - jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to\n outside allowed directories (CVE-2021-21686)\n\n - jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic\n link (CVE-2021-21687)\n\n - jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted\n read access (CVE-2021-21688)\n\n - jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n\n - jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation\n in an agent file path (CVE-2021-21690)\n\n - jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n\n - jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the\n source path (CVE-2021-21692)\n\n - jenkins: When creating temporary files, permission to create files is only checked after they've been\n created. (CVE-2021-21693)\n\n - jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and\n FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n\n - jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic\n links. (CVE-2021-21695)\n\n - jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline:\n Shared Groovy Libraries Plugin (CVE-2021-21696)\n\n - jenkins: Agent-to-controller access control allows reading/writing most content of build directories\n (CVE-2021-21697)\n\n - jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key\n (CVE-2021-21698)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/22.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/59.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/276.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/281.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/863.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21689\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21690\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21691\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21692\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21693\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21695\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21697\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21698\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020322\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020323\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020324\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020327\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020335\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020336\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020338\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020339\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020341\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020342\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020343\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020344\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020345\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020385\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected jenkins and / or jenkins-2-plugins packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21696\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(22, 59, 276, 281, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'openshift_3_11_el7': [\n 'rhel-7-server-ose-3.11-debug-rpms',\n 'rhel-7-server-ose-3.11-rpms',\n 'rhel-7-server-ose-3.11-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'jenkins-2-plugins-3.11.1637699107-1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'atomic-openshift-', 'repo_list':['openshift_3_11_el7']},\n {'reference':'jenkins-2.303.3.1637698110-1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'atomic-openshift-', 'repo_list':['openshift_3_11_el7']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jenkins / jenkins-2-plugins');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-27T12:42:13", "description": "Jenkins Security Advisory : Description(Critical) SECURITY-2455 / CVE-2021-21685, CVE-2021-21686, CVE-2021-21687, CVE-2021-21688, CVE-2021-21689, CVE-2021-21690, CVE-2021-21691, CVE-2021-21692, CVE-2021-21693, CVE-2021-21694, CVE-2021-21695 Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control (High) SECURITY-2423 / CVE-2021-21696 Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (High) SECURITY-2428 / CVE-2021-21697 Agent-to-controller access control allows reading/writing most content of build directories (Medium) SECURITY-2506 / CVE-2021-21698 Path traversal vulnerability in Subversion Plugin allows reading arbitrary files", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-05T00:00:00", "type": "nessus", "title": "FreeBSD : jenkins -- multiple vulnerabilities (2bf56269-90f8-4a82-b82f-c0e289f2a0dc)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2022-01-26T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:jenkins", "p-cpe:/a:freebsd:freebsd:jenkins-lts", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_2BF5626990F84A82B82FC0E289F2A0DC.NASL", "href": "https://www.tenable.com/plugins/nessus/154925", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154925);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/26\");\n\n script_cve_id(\n \"CVE-2021-21685\",\n \"CVE-2021-21686\",\n \"CVE-2021-21687\",\n \"CVE-2021-21688\",\n \"CVE-2021-21689\",\n \"CVE-2021-21690\",\n \"CVE-2021-21691\",\n \"CVE-2021-21692\",\n \"CVE-2021-21693\",\n \"CVE-2021-21694\",\n \"CVE-2021-21695\",\n \"CVE-2021-21696\",\n \"CVE-2021-21697\",\n \"CVE-2021-21698\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0551-S\");\n\n script_name(english:\"FreeBSD : jenkins -- multiple vulnerabilities (2bf56269-90f8-4a82-b82f-c0e289f2a0dc)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Jenkins Security Advisory : Description(Critical) SECURITY-2455 /\nCVE-2021-21685, CVE-2021-21686, CVE-2021-21687, CVE-2021-21688,\nCVE-2021-21689, CVE-2021-21690, CVE-2021-21691, CVE-2021-21692,\nCVE-2021-21693, CVE-2021-21694, CVE-2021-21695 Multiple\nvulnerabilities allow bypassing path filtering of agent-to-controller\naccess control (High) SECURITY-2423 / CVE-2021-21696\nAgent-to-controller access control allowed writing to sensitive\ndirectory used by Pipeline: Shared Groovy Libraries Plugin (High)\nSECURITY-2428 / CVE-2021-21697 Agent-to-controller access control\nallows reading/writing most content of build directories (Medium)\nSECURITY-2506 / CVE-2021-21698 Path traversal vulnerability in\nSubversion Plugin allows reading arbitrary files\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.jenkins.io/security/advisory/2021-11-04/\");\n # https://vuxml.freebsd.org/freebsd/2bf56269-90f8-4a82-b82f-c0e289f2a0dc.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?91320c3f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21696\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins-lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jenkins<2.319\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"jenkins-lts<2.303.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T21:33:01", "description": "According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.303.3 or Jenkins weekly prior to 2.319. It is, therefore, affected by multiple vulnerabilities:\n\n - Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs. (CVE-2021-21685)\n\n - File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. (CVE-2021-21686)\n\n - Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar. (CVE-2021-21687)\n\n - The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo). (CVE-2021-21688)\n\n - FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21689)\n\n - Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21690)\n\n - Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21691)\n\n - FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.\n (CVE-2021-21692)\n\n - When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21693)\n\n - FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.\n (CVE-2021-21694)\n\n - FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21695)\n\n - Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process. (CVE-2021-21696)\n\n - Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. (CVE-2021-21697)\n\n - Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent. (CVE-2021-21698)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-04T00:00:00", "type": "nessus", "title": "Jenkins LTS < 2.303.3 / Jenkins weekly < 2.319 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cloudbees:jenkins", "cpe:/a:jenkins:jenkins"], "id": "JENKINS_2_319.NASL", "href": "https://www.tenable.com/plugins/nessus/154894", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154894);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2021-21685\",\n \"CVE-2021-21686\",\n \"CVE-2021-21687\",\n \"CVE-2021-21688\",\n \"CVE-2021-21689\",\n \"CVE-2021-21690\",\n \"CVE-2021-21691\",\n \"CVE-2021-21692\",\n \"CVE-2021-21693\",\n \"CVE-2021-21694\",\n \"CVE-2021-21695\",\n \"CVE-2021-21696\",\n \"CVE-2021-21697\",\n \"CVE-2021-21698\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0551-S\");\n\n script_name(english:\"Jenkins LTS < 2.303.3 / Jenkins weekly < 2.319 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on a remote web server host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins\nLTS prior to 2.303.3 or Jenkins weekly prior to 2.319. It is, therefore, affected by multiple vulnerabilities:\n\n - Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create\n parent directories in FilePath#mkdirs. (CVE-2021-21685)\n\n - File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2\n and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed\n directories. (CVE-2021-21686)\n\n - Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create\n symbolic links when unarchiving a symbolic link in FilePath#untar. (CVE-2021-21687)\n\n - The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS\n 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using\n certain operations (creating archives, FilePath#copyRecursiveTo). (CVE-2021-21688)\n\n - FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins\n 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21689)\n\n - Agent processes are able to completely bypass file path filtering by wrapping the file operation in an\n agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21690)\n\n - Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in\n Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21691)\n\n - FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier\n only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.\n (CVE-2021-21692)\n\n - When creating temporary files, agent-to-controller access to create those files is only checked after\n they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21693)\n\n - FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and\n FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.\n (CVE-2021-21694)\n\n - FilePath#listFiles lists files outside directories that agents are allowed to access when following\n symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. (CVE-2021-21695)\n\n - Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/\n directory inside build directories when using the FilePath APIs, allowing attackers in control of agent\n processes to replace the code of a trusted library with a modified variant. This results in unsandboxed\n code execution in the Jenkins controller process. (CVE-2021-21696)\n\n - Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any\n build directory stored in Jenkins with very few restrictions. (CVE-2021-21697)\n\n - Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a\n subversion key file on the controller from an agent. (CVE-2021-21698)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jenkins.io/security/advisory/2021-11-04\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Jenkins weekly to version 2.319 or later or Jenkins LTS to version 2.303.3 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21696\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:jenkins:jenkins\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\", \"jenkins_win_installed.nbin\", \"jenkins_nix_installed.nbin\", \"macosx_jenkins_installed.nbin\");\n script_require_keys(\"installed_sw/Jenkins\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'Jenkins');\n\nvar constraints = [\n { 'max_version' : '2.318', 'fixed_version' : '2.319', 'edition' : 'Open Source' },\n { 'max_version' : '2.303.2', 'fixed_version' : '2.303.3', 'edition' : 'Open Source LTS' }\n];\n\nvcf::jenkins::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-18T00:09:26", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4833 advisory.\n\n - jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n\n - jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)\n\n - jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n\n - jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n\n - jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n\n - jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)\n\n - jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n\n - jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n\n - jenkins: When creating temporary files, permission to create files is only checked after they've been created. (CVE-2021-21693)\n\n - jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n\n - jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n\n - jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline:\n Shared Groovy Libraries Plugin (CVE-2021-21696)\n\n - jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\n - jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-30T00:00:00", "type": "nessus", "title": "RHEL 8 : OpenShift Container Platform 4.9.9 (RHSA-2021:4833)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2022-05-17T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:jenkins", "p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins"], "id": "REDHAT-RHSA-2021-4833.NASL", "href": "https://www.tenable.com/plugins/nessus/155728", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:4833. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155728);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/17\");\n\n script_cve_id(\n \"CVE-2021-21685\",\n \"CVE-2021-21686\",\n \"CVE-2021-21687\",\n \"CVE-2021-21688\",\n \"CVE-2021-21689\",\n \"CVE-2021-21690\",\n \"CVE-2021-21691\",\n \"CVE-2021-21692\",\n \"CVE-2021-21693\",\n \"CVE-2021-21694\",\n \"CVE-2021-21695\",\n \"CVE-2021-21696\",\n \"CVE-2021-21697\",\n \"CVE-2021-21698\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4833\");\n script_xref(name:\"IAVA\", value:\"2021-A-0551-S\");\n\n script_name(english:\"RHEL 8 : OpenShift Container Platform 4.9.9 (RHSA-2021:4833)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:4833 advisory.\n\n - jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n\n - jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to\n outside allowed directories (CVE-2021-21686)\n\n - jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic\n link (CVE-2021-21687)\n\n - jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted\n read access (CVE-2021-21688)\n\n - jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n\n - jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation\n in an agent file path (CVE-2021-21690)\n\n - jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n\n - jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the\n source path (CVE-2021-21692)\n\n - jenkins: When creating temporary files, permission to create files is only checked after they've been\n created. (CVE-2021-21693)\n\n - jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and\n FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n\n - jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic\n links. (CVE-2021-21695)\n\n - jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline:\n Shared Groovy Libraries Plugin (CVE-2021-21696)\n\n - jenkins: Agent-to-controller access control allows reading/writing most content of build directories\n (CVE-2021-21697)\n\n - jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key\n (CVE-2021-21698)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/22.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/59.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/276.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/281.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/863.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21689\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21690\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21691\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21692\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21693\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21695\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21697\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21698\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4833\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020322\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020323\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020324\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020327\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020335\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020336\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020338\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020339\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020341\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020342\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020343\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020344\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020345\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020385\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected jenkins and / or jenkins-2-plugins packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21696\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(22, 59, 276, 281, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'openshift_4_9_el8': [\n 'rhocp-4.9-for-rhel-8-aarch64-debug-rpms',\n 'rhocp-4.9-for-rhel-8-aarch64-rpms',\n 'rhocp-4.9-for-rhel-8-aarch64-source-rpms',\n 'rhocp-4.9-for-rhel-8-s390x-debug-rpms',\n 'rhocp-4.9-for-rhel-8-s390x-rpms',\n 'rhocp-4.9-for-rhel-8-s390x-source-rpms',\n 'rhocp-4.9-for-rhel-8-x86_64-debug-rpms',\n 'rhocp-4.9-for-rhel-8-x86_64-rpms',\n 'rhocp-4.9-for-rhel-8-x86_64-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'jenkins-2-plugins-4.9.1637598812-1.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift', 'repo_list':['openshift_4_9_el8']},\n {'reference':'jenkins-2.303.3.1637595827-1.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift', 'repo_list':['openshift_4_9_el8']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jenkins / jenkins-2-plugins');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-18T00:09:26", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4829 advisory.\n\n - jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n\n - jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)\n\n - jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n\n - jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n\n - jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n\n - jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)\n\n - jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n\n - jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n\n - jenkins: When creating temporary files, permission to create files is only checked after they've been created. (CVE-2021-21693)\n\n - jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n\n - jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n\n - jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline:\n Shared Groovy Libraries Plugin (CVE-2021-21696)\n\n - jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\n - jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n\n - coreos-installer: restrict access permissions on /boot/ignition{,/config.ign} (CVE-2021-3917)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-01T00:00:00", "type": "nessus", "title": "RHEL 8 : OpenShift Container Platform 4.8.22 (RHSA-2021:4829)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698", "CVE-2021-3917"], "modified": "2022-05-17T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:coreos-installer", "p-cpe:/a:redhat:enterprise_linux:jenkins", "p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins"], "id": "REDHAT-RHSA-2021-4829.NASL", "href": "https://www.tenable.com/plugins/nessus/155755", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:4829. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155755);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/17\");\n\n script_cve_id(\n \"CVE-2021-3917\",\n \"CVE-2021-21685\",\n \"CVE-2021-21686\",\n \"CVE-2021-21687\",\n \"CVE-2021-21688\",\n \"CVE-2021-21689\",\n \"CVE-2021-21690\",\n \"CVE-2021-21691\",\n \"CVE-2021-21692\",\n \"CVE-2021-21693\",\n \"CVE-2021-21694\",\n \"CVE-2021-21695\",\n \"CVE-2021-21696\",\n \"CVE-2021-21697\",\n \"CVE-2021-21698\"\n );\n script_xref(name:\"RHSA\", value:\"2021:4829\");\n script_xref(name:\"IAVA\", value:\"2021-A-0551-S\");\n\n script_name(english:\"RHEL 8 : OpenShift Container Platform 4.8.22 (RHSA-2021:4829)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:4829 advisory.\n\n - jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n\n - jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to\n outside allowed directories (CVE-2021-21686)\n\n - jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic\n link (CVE-2021-21687)\n\n - jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted\n read access (CVE-2021-21688)\n\n - jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n\n - jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation\n in an agent file path (CVE-2021-21690)\n\n - jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n\n - jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the\n source path (CVE-2021-21692)\n\n - jenkins: When creating temporary files, permission to create files is only checked after they've been\n created. (CVE-2021-21693)\n\n - jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and\n FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n\n - jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic\n links. (CVE-2021-21695)\n\n - jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline:\n Shared Groovy Libraries Plugin (CVE-2021-21696)\n\n - jenkins: Agent-to-controller access control allows reading/writing most content of build directories\n (CVE-2021-21697)\n\n - jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key\n (CVE-2021-21698)\n\n - coreos-installer: restrict access permissions on /boot/ignition{,/config.ign} (CVE-2021-3917)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/22.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/59.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/276.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/281.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/863.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3917\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21686\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21688\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21689\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21690\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21691\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21692\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21693\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21695\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21697\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-21698\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:4829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2018478\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020322\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020323\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020324\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020327\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020335\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020336\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020338\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020339\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020341\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020342\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020343\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020344\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020345\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2020385\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected coreos-installer, jenkins and / or jenkins-2-plugins packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21696\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(22, 59, 276, 281, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:coreos-installer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins-2-plugins\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'openshift_4_8_el8': [\n 'rhocp-4.8-for-rhel-8-s390x-debug-rpms',\n 'rhocp-4.8-for-rhel-8-s390x-rpms',\n 'rhocp-4.8-for-rhel-8-s390x-source-rpms',\n 'rhocp-4.8-for-rhel-8-x86_64-debug-rpms',\n 'rhocp-4.8-for-rhel-8-x86_64-rpms',\n 'rhocp-4.8-for-rhel-8-x86_64-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'coreos-installer-0.9.0-8.rhaos4.8.el8', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift', 'repo_list':['openshift_4_8_el8']},\n {'reference':'coreos-installer-0.9.0-8.rhaos4.8.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift', 'repo_list':['openshift_4_8_el8']},\n {'reference':'jenkins-2-plugins-4.8.1637599935-1.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift', 'repo_list':['openshift_4_8_el8']},\n {'reference':'jenkins-2.303.3.1637596565-1.el8', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openshift', 'repo_list':['openshift_4_8_el8']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'coreos-installer / jenkins / jenkins-2-plugins');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2021-12-03T04:39:10", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n* jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n* jenkins: File path filters do not canonicalize paths, allowing operations\nto follow symbolic links to outside allowed directories (CVE-2021-21686)\n* jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n* jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n* jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n* jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path\n(CVE-2021-21690)\n* jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n* jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n* jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created. (CVE-2021-21693)\n* jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any\npermissions (CVE-2021-21694)\n* jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n* jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)\n* jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-02T21:45:43", "type": "redhat", "title": "(RHSA-2021:4827) Important: OpenShift Container Platform 3.11.569 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2021-12-02T21:49:42", "id": "RHSA-2021:4827", "href": "https://access.redhat.com/errata/RHSA-2021:4827", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-03T04:42:25", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.51. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHBA-2021:4800\n\nSecurity Fix(es):\n\n* jenkins-2-plugins/subversion: does not restrict the name of a file when\nlooking up a subversion key (CVE-2021-21698)\n* jenkins: FilePath#mkdirs does not check permission to create parent\ndirectories (CVE-2021-21685)\n* jenkins: File path filters do not canonicalize paths, allowing operations\nto follow symbolic links to outside allowed directories (CVE-2021-21686)\n* jenkins: FilePath#untar does not check permission to create symbolic\nlinks when unarchiving a symbolic link (CVE-2021-21687)\n* jenkins: FilePath#reading(FileVisitor) does not reject any operations\nallowing users to have unrestricted read access (CVE-2021-21688)\n* jenkins: FilePath#unzip and FilePath#untar were not subject to any access\ncontrol (CVE-2021-21689)\n* jenkins: Agent processes are able to completely bypass file path\nfiltering by wrapping the file operation in an agent file path\n(CVE-2021-21690)\n* jenkins: Creating symbolic links is possible without the symlink\npermission (CVE-2021-21691)\n* jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo\nonly check read permission on the source path (CVE-2021-21692)\n* jenkins: When creating temporary files, permission to create files is\nonly checked after they\u2019ve been created. (CVE-2021-21693)\n* jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,\nFilePath#isDescendant, and FilePath#get*DiskSpace do not check any\npermissions (CVE-2021-21694)\n* jenkins: FilePath#listFiles lists files outside directories with agent\nread access when following symbolic links. (CVE-2021-21695)\n* jenkins: Agent-to-controller access control allowed writing to sensitive\ndirectory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)\n* jenkins: Agent-to-controller access control allows reading/writing most\ncontent of build directories (CVE-2021-21697)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-02T18:25:53", "type": "redhat", "title": "(RHSA-2021:4799) Important: OpenShift Container Platform 4.6.51 packages and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2021-12-02T18:29:29", "id": "RHSA-2021:4799", "href": "https://access.redhat.com/errata/RHSA-2021:4799", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-01T12:41:48", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container\nPlatform 4.7.38. See the following advisory for the container images for\nthis release:\n\nhttps://access.redhat.com/errata/RHBA-2021:4802\n\nAll OpenShift Container Platform 4.7 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor\nSecurity Fix(es):\n\n* jenkins-2-plugins/subversion: does not restrict the name of a file when\nlooking up a subversion key (CVE-2021-21698)\n* jenkins: FilePath#mkdirs does not check permission to create parent\ndirectories (CVE-2021-21685)\n* jenkins: File path filters do not canonicalize paths, allowing operations\nto follow symbolic links to outside allowed directories (CVE-2021-21686)\n* jenkins: FilePath#untar does not check permission to create symbolic\nlinks when unarchiving a symbolic link (CVE-2021-21687)\n* jenkins: FilePath#reading(FileVisitor) does not reject any operations\nallowing users to have unrestricted read access (CVE-2021-21688)\n* jenkins: FilePath#unzip and FilePath#untar were not subject to any access\ncontrol (CVE-2021-21689)\n* jenkins: Agent processes are able to completely bypass file path\nfiltering by wrapping the file operation in an agent file path\n(CVE-2021-21690)\n* jenkins: Creating symbolic links is possible without the symlink\npermission (CVE-2021-21691)\n* jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo\nonly check read permission on the source path (CVE-2021-21692)\n* jenkins: When creating temporary files, permission to create files is\nonly checked after they\u2019ve been created. (CVE-2021-21693)\n* jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,\nFilePath#isDescendant, and FilePath#get*DiskSpace do not check any\npermissions (CVE-2021-21694)\n* jenkins: FilePath#listFiles lists files outside directories with agent\nread access when following symbolic links. (CVE-2021-21695)\n* jenkins: Agent-to-controller access control allowed writing to sensitive\ndirectory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)\n* jenkins: Agent-to-controller access control allows reading/writing most\ncontent of build directories (CVE-2021-21697)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-01T12:16:32", "type": "redhat", "title": "(RHSA-2021:4801) Important: OpenShift Container Platform 4.7.38 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2021-12-01T12:19:34", "id": "RHSA-2021:4801", "href": "https://access.redhat.com/errata/RHSA-2021:4801", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-29T10:41:48", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.9. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHSA-2021:4834\n\nSecurity Fix(es):\n\n* jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n* jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n* jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)\n* jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n* jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n* jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n* jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)\n* jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n* jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n* jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created. (CVE-2021-21693)\n* jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n* jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n* jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)\n* jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-29T10:28:11", "type": "redhat", "title": "(RHSA-2021:4833) Important: OpenShift Container Platform 4.9.9 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2021-11-29T10:31:32", "id": "RHSA-2021:4833", "href": "https://access.redhat.com/errata/RHSA-2021:4833", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-30T10:40:07", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.22. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHBA-2021:4830\n\nAll OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor\n\nSecurity Fix(es):\n\n* jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)\n* jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)\n* jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)\n* jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)\n* jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)\n* coreos-installer: restrict access permissions on /boot/ignition{,/config.ign} (CVE-2021-3917)\n* jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)\n* jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)\n* jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)\n* jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)\n* jenkins: When creating temporary files, permission to create files is only checked after they\u2019ve been created. (CVE-2021-21693)\n* jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)\n* jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)\n* jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)\n* jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T09:00:06", "type": "redhat", "title": "(RHSA-2021:4829) Important: OpenShift Container Platform 4.8.22 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698", "CVE-2021-3917"], "modified": "2021-11-30T09:03:34", "id": "RHSA-2021:4829", "href": "https://access.redhat.com/errata/RHSA-2021:4829", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:30", "description": "\n\nJenkins Security Advisory:\n\nDescription\n(Critical) SECURITY-2455 / CVE-2021-21685, CVE-2021-21686, CVE-2021-21687, CVE-2021-21688, CVE-2021-21689, CVE-2021-21690, CVE-2021-21691, CVE-2021-21692, CVE-2021-21693, CVE-2021-21694, CVE-2021-21695\nMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control\n(High) SECURITY-2423 / CVE-2021-21696\nAgent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin\n(High) SECURITY-2428 / CVE-2021-21697\nAgent-to-controller access control allows reading/writing most content of build directories\n(Medium) SECURITY-2506 / CVE-2021-21698\nPath traversal vulnerability in Subversion Plugin allows reading arbitrary files\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-04T00:00:00", "type": "freebsd", "title": "jenkins -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21685", "CVE-2021-21686", "CVE-2021-21687", "CVE-2021-21688", "CVE-2021-21689", "CVE-2021-21690", "CVE-2021-21691", "CVE-2021-21692", "CVE-2021-21693", "CVE-2021-21694", "CVE-2021-21695", "CVE-2021-21696", "CVE-2021-21697", "CVE-2021-21698"], "modified": "2021-11-04T00:00:00", "id": "2BF56269-90F8-4A82-B82F-C0E289F2A0DC", "href": "https://vuxml.freebsd.org/freebsd/2bf56269-90f8-4a82-b82f-c0e289f2a0dc.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}