6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21682

GHSA ID

GHSA-6q4g-84f3-mw74

EPSS Score

0.74395%

CWE

CWE-42

Published

5/24/2022

Updated

12/18/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21682

CVE-2021-21682: Improper handling of equivalent directory names on Windows in Jenkins

Jenkins stores jobs and other entities on disk using their name shown on the UI as file and folder names.

On Windows, when specifying a file or folder with a trailing dot character (example.), the file or folder will be treated as if that character was not present (example). As both are legal names for jobs and other entities in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier, this could allow users with the appropriate permissions to change or replace configurations of jobs and other entities.

Jenkins 2.315, LTS 2.303.2 does not allow names of jobs and other entities to end with a dot character.

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21682

GHSA ID

GHSA-6q4g-84f3-mw74

EPSS Score

0.74395%

CWE

CWE-42

Published

5/24/2022

Updated

12/18/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	>= 2.304, <= 2.314	2.315
org.jenkins-ci.main:jenkins-core	maven	<= 2.303.1	2.303.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Jenkins' filename validation logic allowing trailing dots in entity names. The commit diff shows the vulnerability was patched by adding a trailing dot check in Jenkins.checkGoodName(). In vulnerable versions, this function did not include the 'endsWith(".")' validation, making it the root cause. The function is directly responsible for validating entity names and its lack of trailing dot handling created the path equivalence vulnerability on Windows systems.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins stor*s jo*s *n* ot**r *ntiti*s on *isk usin* t**ir n*m* s*own on t** UI *s *il* *n* *ol**r n*m*s. On Win*ows, w**n sp**i*yin* * *il* or *ol**r wit* * tr*ilin* *ot ***r**t*r (`*x*mpl*.`), t** *il* or *ol**r will ** tr**t** *s i* t**t ***r**t*

Reasoning

T** vuln*r**ility st*ms *rom J*nkins' `*il*n*m*` v*li**tion lo*i* *llowin* tr*ilin* *ots in *ntity n*m*s. T** *ommit *i** s*ows t** vuln*r**ility w*s p*t**** *y ***in* * tr*ilin* *ot ****k in `J*nkins.****k*oo*N*m*()`. In vuln*r**l* v*rsions, t*is *u

6.3

Basic Information

Concerned about an active attack path?

CVE-2021-21682: Improper handling of equivalent directory names on Windows in Jenkins

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI