{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.318", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "LTS 2.303.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T15:52:03.167Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21691", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.318"}, {"version_affected": "<=", "version_value": "LTS 2.303.2"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:23:27.504Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2021-21691", "datePublished": "2021-11-04T16:30:33.000Z", "dateReserved": "2021-01-04T00:00:00.000Z", "dateUpdated": "2024-08-03T18:23:27.504Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "0B0C915B-C3A9-4BB9-B122-749CF43BB7DE", "versionEndExcluding": "2.303.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "3D231DBA-462F-4BC5-8F04-23109A7EF1F8", "versionEndExcluding": "2.319", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier."}, {"lang": "es", "value": "Una creaci\u00f3n de enlaces simb\u00f3licos es posible sin el permiso de control de acceso del agente-controlador \"symlink\" en Jenkins versiones 2.318 y anteriores, LTS versiones 2.303.2 y anteriores"}], "id": "CVE-2021-21691", "lastModified": "2024-11-21T05:48:50.593", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-04T17:15:08.607", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4827", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-0:2.303.3.1637698110-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2021-12-02T00:00:00Z"}, {"advisory": "RHSA-2021:4799", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "jenkins-0:2.303.3.1637597493-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-12-02T00:00:00Z"}, {"advisory": "RHSA-2021:4801", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "jenkins-0:2.303.3.1637597018-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-12-01T00:00:00Z"}, {"advisory": "RHSA-2021:4829", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "jenkins-0:2.303.3.1637596565-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4833", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "jenkins-0:2.303.3.1637595827-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2021-11-29T00:00:00Z"}], "bugzilla": {"description": "jenkins: Creating symbolic links is possible without the symlink permission", "id": "2020338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020338"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-276", "details": ["Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", "A vulnerability was found in Jenkins which failed to correctly validate permissions. This flaw allowed any user to create symbolic links regardless if they had the symlink permission. It may allow an attacker to read and write to arbitrary files on the Jenkins controller file system."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2021-21691", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat Fuse 7"}], "public_date": "2021-11-04T14:20:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21691\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21691\nhttps://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455"], "threat_severity": "Important"}

{}