Lucene search

K
githubGitHub Advisory DatabaseGHSA-QXP6-27GW-99CJ
HistoryMay 24, 2022 - 5:40 p.m.

Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins

2022-05-2417:40:19
CWE-367
GitHub Advisory Database
github.com
21
time-of-check time-of-use
toctou
race condition
jenkins
security vulnerability
symbolic links
workspace browsing
security advisory

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.4%

Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2.

This allows attackers with Job/Workspace permission and the ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM contents, to create symbolic links that allow them to access files outside workspaces using the workspace browser.

This issue is caused by an incorrectly applied fix for SECURITY-1452 / CVE-2021-21602 in the 2021-01-13 security advisory.

Jenkins 2.276, LTS 2.263.3 no longer differentiates the check and the use of symlinks in workspace browsers.

Affected configurations

Vulners
Node
org.jenkins-ci.mainjenkins-coreRange2.264–2.275
OR
org.jenkins-ci.mainjenkins-coreRange≤2.263.2
VendorProductVersionCPE
org.jenkins-ci.mainjenkins-core*cpe:2.3:a:org.jenkins-ci.main:jenkins-core:*:*:*:*:*:*:*:*

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.4%