Miggo Logo

CVE-2021-21606: Arbitrary file existence check in file fingerprints in Jenkins

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.24895%
Published
5/24/2022
Updated
12/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven< 2.263.22.263.2
org.jenkins-ci.main:jenkins-coremaven>= 2.264, <= 2.2742.275

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues: 1) FileFingerprintStorage.load() lacked validation of fingerprint ID format before building filesystem paths, enabling directory traversal. 2) FingerprintMap.toByteArray() used custom hex parsing that didn't enforce proper MD5 format. The commit fixes show the vulnerability was addressed by adding hex validation (Util.fromHexString) in both the load method and fingerprint creation path. The test cases demonstrate how unvalidated IDs could be manipulated to access files outside the intended directory structure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins provi**s * ***tur* *or jo*s to stor* *n* tr**k *in**rprints o* *il*s us** *urin* * *uil*. J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r provi**s * R*ST *PI to ****k w**r* * *iv*n *in**rprint w*s us** *y w*i** *uil*s. T*is *n*point *o*s n

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) *il**in**rprintStor***.lo**() l**k** v*li**tion o* *in**rprint I* *orm*t ***or* *uil*in* *il*syst*m p*t*s, *n**lin* *ir**tory tr*v*rs*l. *) *in**rprintM*p.to*yt**rr*y() us** *ustom **x p*rsin* t**t *i*n