Jenkins < 2.276, < 2.263.3 Arbitrary File Read Vulnerability. Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins. The vulnerability allows attackers with the Job/Workspace permission and the ability to control workspace contents to create symbolic links that allow them to access files outside workspaces using the workspace browser. Jenkins version 2.275 and prior and 2.263.2 LTS and prior
Reporter | Title | Published | Views | Family All 22 |
---|---|---|---|---|
Tenable Nessus | Jenkins Enterprise and Operations Center < 2.222.43.0.2 / 2.249.30.0.2 / 2.263.2.3 Arbitrary File Read (CloudBees Security Advisory 2021-01-26) | 3 Dec 202100:00 | – | nessus |
Tenable Nessus | Jenkins < 2.263.3 LTS / 2.276 TOCTOU | 28 Jan 202100:00 | – | nessus |
Tenable Nessus | FreeBSD : jenkins -- Arbitrary file read vulnerability in workspace browsers (425f2143-8876-4b0a-af84-e0238c5c2062) | 27 Jan 202100:00 | – | nessus |
Tenable Nessus | RHEL 7 / 8 : OpenShift Container Platform 4.5.33 (RHSA-2021:0429) | 3 Mar 202100:00 | – | nessus |
Tenable Nessus | RHEL 8 : OpenShift Container Platform 4.6.17 (RHSA-2021:0423) | 18 Feb 202100:00 | – | nessus |
FreeBSD | jenkins -- Arbitrary file read vulnerability in workspace browsers | 26 Jan 202100:00 | – | freebsd |
Veracode | Race Condition | 4 Mar 202105:30 | – | veracode |
Prion | Race condition | 26 Jan 202118:16 | – | prion |
NVD | CVE-2021-21615 | 26 Jan 202118:16 | – | nvd |
AlpineLinux | CVE-2021-21615 | 26 Jan 202118:16 | – | alpinelinux |
Source | Link |
---|---|
jenkins | www.jenkins.io/security/advisory/2021-01-26/ |
# Copyright (C) 2021 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
CPE = "cpe:/a:jenkins:jenkins";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.145266");
script_version("2021-08-17T14:01:00+0000");
script_tag(name:"last_modification", value:"2021-08-17 14:01:00 +0000 (Tue, 17 Aug 2021)");
script_tag(name:"creation_date", value:"2021-01-28 03:32:56 +0000 (Thu, 28 Jan 2021)");
script_tag(name:"cvss_base", value:"3.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:S/C:P/I:N/A:N");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2021-02-02 16:20:00 +0000 (Tue, 02 Feb 2021)");
script_cve_id("CVE-2021-21615");
script_tag(name:"qod_type", value:"remote_banner");
script_tag(name:"solution_type", value:"VendorFix");
script_name("Jenkins < 2.276, < 2.263.3 Arbitrary File Read Vulnerability");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2021 Greenbone Networks GmbH");
script_family("Web application abuses");
script_dependencies("gb_jenkins_consolidation.nasl");
script_mandatory_keys("jenkins/detected");
script_tag(name:"summary", value:"Jenkins is prone to an arbitrary file read vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"Due to a time-of-check to time-of-use (TOCTOU) race condition, the file
browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to
locations outside the directory being browsed in Jenkins.");
script_tag(name:"impact", value:"The vulnerability allows attackers with Job/Workspace permission and the
ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM
contents, to create symbolic links that allow them to access files outside workspaces using the workspace browser.");
script_tag(name:"affected", value:"Jenkins version 2.275 and prior and 2.263.2 LTS and prior.");
script_tag(name:"solution", value:"Update to version 2.276, 2.263.3 LTS or later.");
script_xref(name:"URL", value:"https://www.jenkins.io/security/advisory/2021-01-26/#SECURITY-2197");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if(!port = get_app_port(cpe: CPE))
exit(0);
if(!infos = get_app_full(cpe: CPE, port: port, exit_no_version: TRUE))
exit(0);
version = infos["version"];
location = infos["location"];
proto = infos["proto"];
if(get_kb_item("jenkins/" + port + "/is_lts")) {
if(version_is_less(version: version, test_version: "2.263.3")) {
report = report_fixed_ver(installed_version: version, fixed_version: "2.263.3", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
} else {
if(version_is_less(version: version, test_version: "2.276")) {
report = report_fixed_ver(installed_version: version, fixed_version: "2.276", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
}
exit(99);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo