4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21606

GHSA ID

GHSA-f585-9fw3-rj2m

EPSS Score

0.24895%

CWE

CWE-20

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21606

CVE-2021-21606: Arbitrary file existence check in file fingerprints in Jenkins

Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system.

This allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters.

Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21606

GHSA ID

GHSA-f585-9fw3-rj2m

EPSS Score

0.24895%

CWE

CWE-20

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	< 2.263.2	2.263.2
org.jenkins-ci.main:jenkins-core	maven	>= 2.264, <= 2.274	2.275

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) FileFingerprintStorage.load() lacked validation of fingerprint ID format before building filesystem paths, enabling directory traversal. 2) FingerprintMap.toByteArray() used custom hex parsing that didn't enforce proper MD5 format. The commit fixes show the vulnerability was addressed by adding hex validation (Util.fromHexString) in both the load method and fingerprint creation path. The test cases demonstrate how unvalidated IDs could be manipulated to access files outside the intended directory structure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins provi**s * ***tur* *or jo*s to stor* *n* tr**k *in**rprints o* *il*s us** *urin* * *uil*. J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r provi**s * R*ST *PI to ****k w**r* * *iv*n *in**rprint w*s us** *y w*i** *uil*s. T*is *n*point *o*s n

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) *il**in**rprintStor***.lo**() l**k** v*li**tion o* *in**rprint I* *orm*t ***or* *uil*in* *il*syst*m p*t*s, *n**lin* *ir**tory tr*v*rs*l. *) *in**rprintM*p.to*yt**rr*y() us** *ustom **x p*rsin* t**t *i*n

4.3

Basic Information

Concerned about an active attack path?

CVE-2021-21606: Arbitrary file existence check in file fingerprints in Jenkins

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI