CVE-2021-21695 in Jenkins
Summary
by MITRE • 11/04/2021
FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/09/2021
This vulnerability exists in Jenkins versions up to 2.318 and LTS 2.303.2 where the FilePath#listFiles method exhibits improper access control behavior when processing symbolic links. The flaw occurs during directory traversal operations where Jenkins fails to properly validate access permissions when following symbolic links that point outside of authorized directories. This represents a privilege escalation vulnerability that allows attackers to bypass intended access restrictions and enumerate files in directories they should not have access to.
The technical implementation of this vulnerability stems from the FilePath#listFiles method not properly enforcing directory boundaries when symbolic links are encountered during file system operations. When Jenkins processes a symbolic link that points to a location outside the permitted access scope, the system continues to traverse and list files from that external location without proper authorization checks. This behavior violates fundamental security principles of least privilege and access control enforcement. The vulnerability is particularly concerning because it operates at the file system level within Jenkins' core functionality, making it a critical weakness in the platform's security architecture.
From an operational impact perspective, this vulnerability enables unauthorized information disclosure and reconnaissance activities. Attackers with limited access to Jenkins can potentially discover sensitive files, configuration data, or system artifacts that reside outside their intended access boundaries. The vulnerability affects Jenkins installations where users or agents have the ability to create or manipulate symbolic links within accessible directories, which is common in many CI/CD environments where build agents may have expanded file system permissions. This weakness can be exploited to gain insights into system configuration, identify potential attack vectors, and facilitate further compromise of the Jenkins infrastructure.
The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (Restriction of Paths) which focus on improper access control in file system operations. It also maps to ATT&CK technique T1083 (File and Directory Discovery) as it enables unauthorized file enumeration beyond normal access boundaries. Organizations should immediately upgrade to Jenkins versions 2.319 or later for the main release and 2.303.3 or later for LTS to remediate this vulnerability. Additional mitigations include restricting symbolic link creation permissions on Jenkins agents, implementing stricter file system access controls, and monitoring for unauthorized symbolic link creation in Jenkins-managed directories. Security teams should also conduct thorough audits of Jenkins agent configurations to ensure proper access control boundaries are maintained and that no unauthorized symbolic links exist that could be exploited to access restricted file system areas.