jenkins: Arbitrary file read vulnerability in workspace browsers (CVE-2021-21615)

Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.

This issue is caused by an incorrectly applied fix for SECURITY-1452 / CVE-2021-21602 in the 2021-01-13 security advisory.

Fixed In Version:

jenkins 2.276, jenkins LTS 2.263.3

Reference:

https://www.jenkins.io/security/advisory/2021-01-26/

Affected branches:

master (c3c5fbed)
3.13-stable

Edited Feb 25, 2021 by Francesco Colista

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information