9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21697

GHSA ID

GHSA-cv2w-q8c3-xjv7

EPSS Score

0.65385%

CWE

CWE-184

Published

5/24/2022

Updated

12/18/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21697

CVE-2021-21697: Agent-to-controller access control allows reading/writing most content of build directories in Jenkins

Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier include the directories storing build-related information, intended to allow agents to store build-related metadata during build execution. As a consequence, this allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).

Jenkins 2.319, LTS 2.303.3 prevents agents from accessing contents of build directories unless it’s for builds currently running on the agent attempting to access the directory.

Update Pipeline: Nodes and Processes to version 2.40 or newer for Jenkins to associate Pipeline node blocks with the agent they’re running on for this fix.

If you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, you can install the Remoting Security Workaround Plugin. It will prevent all agent-to-controller file access using FilePath APIs. Because it is more restrictive than Jenkins 2.319, LTS 2.303.3, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21697

GHSA ID

GHSA-cv2w-q8c3-xjv7

EPSS Score

0.65385%

CWE

CWE-184

Published

5/24/2022

Updated

12/18/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	>= 2.304, <= 2.318	2.319
org.jenkins-ci.main:jenkins-core	maven	<= 2.303.2	2.303.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key gaps:

The FilePath API implementation lacked contextual checks to limit build directory access to only builds actively running on the requesting agent (addressed by the new RunningBuildFilePathFilter in the patch).
The legacy path filtering system (AdminWhitelistRule) had incomplete disallowed inputs:
- Failed to canonicalize paths, enabling symlink attacks
- Allowed broad access to build directories without runtime context checks
- Did not properly validate operations like mkdirs, renameTo, and temporary file creation

The commit explicitly adds RunningBuildFilePathFilter to enforce runtime build-context checks, indicating these validations were missing in prior versions. The CWE-184 classification confirms the root cause was an incomplete allowlist/access control implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***nts *r* *llow** som* limit** ****ss to *il*s on t** J*nkins *ontroll*r *il* syst*m. T** *ir**tori*s ***nts *r* *llow** to ****ss in J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r in*lu** t** *ir**tori*s storin* *uil*-r*l*t** in*orm*tion, int*n

Reasoning

T** vuln*r**ility st*ms *rom two k*y **ps: *. T** *il*P*t* *PI impl*m*nt*tion l**k** *ont*xtu*l ****ks to limit *uil* *ir**tory ****ss to only *uil*s **tiv*ly runnin* on t** r*qu*stin* ***nt (***r*ss** *y t** n*w Runnin**uil**il*P*t**ilt*r in t** p*t

9.1

Basic Information

Concerned about an active attack path?

CVE-2021-21697: Agent-to-controller access control allows reading/writing most content of build directories in Jenkins

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI