5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21615

GHSA ID

GHSA-qxp6-27gw-99cj

EPSS Score

0.60405%

CWE

CWE-367

Published

5/24/2022

Updated

1/29/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21615

CVE-2021-21615: Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins

Due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2.

This allows attackers with Job/Workspace permission and the ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM contents, to create symbolic links that allow them to access files outside workspaces using the workspace browser.

This issue is caused by an incorrectly applied fix for SECURITY-1452 / CVE-2021-21602 in the 2021-01-13 security advisory.

Jenkins 2.276, LTS 2.263.3 no longer differentiates the check and the use of symlinks in workspace browsers.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21615

GHSA ID

GHSA-qxp6-27gw-99cj

EPSS Score

0.60405%

CWE

CWE-367

Published

5/24/2022

Updated

1/29/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	<= 2.263.2	2.263.3
org.jenkins-ci.main:jenkins-core	maven	>= 2.264, <= 2.275	2.276

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from non-atomic symlink handling in directory browsing components. Key indicators:

The advisory explicitly mentions workspace browsers, archived artifacts, and UserContent endpoints
The root cause is identified as improper symlink validation from a previous fix (CVE-2021-21602)
The fix involved eliminating the separation between validation and file access
Core file handling classes like DirectoryBrowserSupport and FilePath are known to manage symlink validation
WorkspaceBrowser and UserContent are specifically called out as affected components While exact code changes aren't shown, the vulnerability pattern and Jenkins architecture strongly implicate these core file handling functions that manage directory listings and file access controls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to * tim*-o*-****k to tim*-o*-us* (TO*TOU) r*** *on*ition, t** *il* *rows*r *or worksp***s, *r**iv** *rti***ts, *n* `$J*NKINS_*OM*/us*r*ont*nt/` *ollows sym*oli* links to lo**tions outsi** t** *ir**tory **in* *rows** in J*nkins *.*** *n* LTS *.**

Reasoning

T** vuln*r**ility st*ms *rom non-*tomi* symlink **n*lin* in *ir**tory *rowsin* *ompon*nts. K*y in*i**tors: *. T** **visory *xpli*itly m*ntions worksp*** *rows*rs, *r**iv** *rti***ts, *n* Us*r*ont*nt *n*points *. T** root **us* is i**nti*i** *s improp

5.3

Basic Information

Concerned about an active attack path?

CVE-2021-21615: Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI