Multiple vulnerabilities in Jenkins and Jenkins LTS



Published: 2021-10-08
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2021-21682
CVE-2014-3577
CVE-2021-21683
CWE-ID CWE-42
CWE-295
CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Jenkins
Server applications / Application servers

Jenkins LTS
Server applications / Application servers

Vendor Jenkins

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Path Equivalence

EUVDB-ID: #VU57147

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-21682

CWE-ID: CWE-42 - Path Equivalence

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system. 

The vulnerability exists due to improper handling of equivalent directory names on Windows. A remote authenticated attacker can change or replace configurations of jobs and other entities. 

Mitigation

Install update from vendor's website.

Vulnerable software versions

Jenkins: 2.0 - 2.314

Jenkins LTS: 2.7.1 - 2.303.1


CPE2.3 External links

http://jenkins.io/security/advisory/2021-10-06/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper Certificate Validation

EUVDB-ID: #VU57150

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2014-3577

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper certificate validation. A remote attacker can perform a man-in-the-middle (MitM) attack and spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Jenkins: 2.0 - 2.314

Jenkins LTS: 2.7.1 - 2.303.1


CPE2.3 External links

http://jenkins.io/security/advisory/2021-10-06/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Path traversal

EUVDB-ID: #VU57148

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-21683

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences on Windows. A remote authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Jenkins: 2.0 - 2.314

Jenkins LTS: 2.7.1 - 2.303.1


CPE2.3 External links

http://jenkins.io/security/advisory/2021-10-06/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###