Miggo Logo

CVE-2021-21615: Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.60405%
Published
5/24/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven<= 2.263.22.263.3
org.jenkins-ci.main:jenkins-coremaven>= 2.264, <= 2.2752.276

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from non-atomic symlink handling in directory browsing components. Key indicators:

  1. The advisory explicitly mentions workspace browsers, archived artifacts, and UserContent endpoints
  2. The root cause is identified as improper symlink validation from a previous fix (CVE-2021-21602)
  3. The fix involved eliminating the separation between validation and file access
  4. Core file handling classes like DirectoryBrowserSupport and FilePath are known to manage symlink validation
  5. WorkspaceBrowser and UserContent are specifically called out as affected components While exact code changes aren't shown, the vulnerability pattern and Jenkins architecture strongly implicate these core file handling functions that manage directory listings and file access controls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to * tim*-o*-****k to tim*-o*-us* (TO*TOU) r*** *on*ition, t** *il* *rows*r *or worksp***s, *r**iv** *rti***ts, *n* `$J*NKINS_*OM*/us*r*ont*nt/` *ollows sym*oli* links to lo**tions outsi** t** *ir**tory **in* *rows** in J*nkins *.*** *n* LTS *.**

Reasoning

T** vuln*r**ility st*ms *rom non-*tomi* symlink **n*lin* in *ir**tory *rowsin* *ompon*nts. K*y in*i**tors: *. T** **visory *xpli*itly m*ntions worksp*** *rows*rs, *r**iv** *rti***ts, *n* Us*r*ont*nt *n*points *. T** root **us* is i**nti*i** *s improp