CVE-2021-21615: Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.60405%
CWE
Published
5/24/2022
Updated
1/29/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.main:jenkins-core | maven | <= 2.263.2 | 2.263.3 |
org.jenkins-ci.main:jenkins-core | maven | >= 2.264, <= 2.275 | 2.276 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from non-atomic symlink handling in directory browsing components. Key indicators:
- The advisory explicitly mentions workspace browsers, archived artifacts, and UserContent endpoints
- The root cause is identified as improper symlink validation from a previous fix (CVE-2021-21602)
- The fix involved eliminating the separation between validation and file access
- Core file handling classes like DirectoryBrowserSupport and FilePath are known to manage symlink validation
- WorkspaceBrowser and UserContent are specifically called out as affected components While exact code changes aren't shown, the vulnerability pattern and Jenkins architecture strongly implicate these core file handling functions that manage directory listings and file access controls.