jenkins: Arbitrary file read vulnerability in workspace browsers (CVE-2021-21615)
Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.
This issue is caused by an incorrectly applied fix for SECURITY-1452 / CVE-2021-21602 in the 2021-01-13 security advisory.
Fixed In Version:
jenkins 2.276, jenkins LTS 2.263.3
Reference:
https://www.jenkins.io/security/advisory/2021-01-26/
Affected branches:
- master (c3c5fbed)
- 3.13-stable
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information