Time-of-check Time-of-use (TOCTOU) Race Condition in Jenkins and Jenkins LTS - CVE-2021-21615
Published: January 26, 2021
Vulnerability identifier: #VU50020
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-21615
CWE-ID: CWE-367
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Jenkins
Jenkins LTS
Jenkins
Jenkins LTS
Software vendor:
Jenkins
Jenkins
Description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to a race condition in the file browser for workspaces. A remote user with Job/Workspace permission and the ability to control workspace contents, e.g., with Job/Configure permission or the ability to change SCM contents, can create symbolic links that allow them to access files outside workspaces using the workspace browser.
Note, the vulnerability is caused by incorrect patch for #VU49527
Remediation
Install updates from vendor's website.