jenkins: Arbitrary file read vulnerability in workspace browsers (CVE-2021-21615)
Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.
This issue is caused by an incorrectly applied fix for SECURITY-1452 / CVE-2021-21602 in the 2021-01-13 security advisory.
Fixed In Version:
jenkins 2.276, jenkins LTS 2.263.3
Reference:
https://www.jenkins.io/security/advisory/2021-01-26/
Affected branches:
-
master (c3c5fbed) -
3.13-stable