====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN047
_____________________________________________________________________

DATE                : 26/01/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Jenkins (core) versions prior to
                                 weekly 2.276, LTS 2.263.3.

=====================================================================
https://www.jenkins.io/security/advisory/2021-01-26/
_____________________________________________________________________


 Jenkins Security Advisory 2021-01-26

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Jenkins (core)


Descriptions

Arbitrary file read vulnerability in workspace browsers
SECURITY-2197 / CVE-2021-21615

Due to a time-of-check to time-of-use (TOCTOU) race condition, the file
browser for workspaces, archived artifacts, and
$JENKINS_HOME/userContent/ follows symbolic links to locations outside
the directory being browsed in Jenkins 2.275 and LTS 2.263.2.

This allows attackers with Job/Workspace permission and the ability to
control workspace contents, e.g., with Job/Configure permission or the
ability to change SCM contents, to create symbolic links that allow them
to access files outside workspaces using the workspace browser.


Note
	This issue is caused by an incorrectly applied fix for
SECURITY-1452 / CVE-2021-21602 in the 2021-01-13 security advisory.

Jenkins 2.276, LTS 2.263.3 no longer differentiates the check and the
use of symlinks in workspace browsers.


Severity

    SECURITY-2197: Medium


Affected Versions

    Jenkins weekly up to and including 2.275
    Jenkins LTS up to and including 2.263.2


Fix

    Jenkins weekly should be updated to version 2.276
    Jenkins LTS should be updated to version 2.263.3


These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc.
for SECURITY-2197


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================