Miggo Logo

CVE-2021-21688: Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.56895%
Published
5/24/2022
Updated
12/18/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 2.304, <= 2.3182.319
org.jenkins-ci.main:jenkins-coremaven<= 2.303.22.303.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies FilePath#reading(FileVisitor) as the root cause (CVE-2021-21688/SECURITY-2484). The commit diff shows removal of security-related serialization checks in FilePath's inner classes, and the advisory states this method failed to reject operations outside allowed directories. The test case additions in Security2455Test.java validate() that archive operations (like unzip) were improperly allowed, which aligns with the described vulnerability pattern. The function is directly named in both the CVE description and security advisory as the flawed component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ***nt-to-*ontroll*r s**urity su*syst*m limits w*i** *il*s on t** J*nkins *ontroll*r **n ** ****ss** *y ***nt pro**ss*s. Multipl* vuln*r**iliti*s in t** *il* p*t* *ilt*rin* impl*m*nt*tion o* J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r *llo

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s `*il*P*t*#r***in*(*il*Visitor)` *s t** root **us* (*V*-****-*****/S**URITY-****). T** *ommit *i** s*ows r*mov*l o* s**urity-r*l*t** s*ri*liz*tion ****ks in `*il*P*t*`'s inn*r *l*ss*s, *n* t** **viso