CloudBees Security Advisory 2021-01-26

Arbitrary file read vulnerability in workspace browsers 

SECURITY-2197 / CVE-2021-21615

Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2.

This allows attackers with Job/Workspace permission and the ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM contents, to create symbolic links that allow them to access files outside workspaces using the workspace browser.

NOTE: This issue is caused by an incorrectly applied fix for SECURITY-1452 / CVE-2021-21602 in the 2021-01-13 security advisory.

Severity

• SECURITY-2197: Medium 

   

Fix

• CloudBees Traditional Platforms should be upgraded 2.263.2.3

• CloudBees Cloud Platforms should be upgraded 2.263.2.3

• CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.263.2.3

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.263.2.3

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.249.x.0.z) should be upgraded to version 2.249.30.0.2

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.43.0.2

• CloudBees Jenkins Distribution should be upgraded 2.263.2.3