Login Sign Up

CVE-2021-21689

9.1 CRITICAL

📋 TL;DR

This vulnerability in Jenkins allows agents to bypass access controls and execute arbitrary file operations on the controller's filesystem. It affects Jenkins instances with agent-to-controller security enabled, potentially allowing unauthorized file extraction and manipulation.

💻 Affected Systems

Products:
  • Jenkins
Versions: Jenkins 2.318 and earlier, Jenkins LTS 2.303.2 and earlier
Operating Systems: All operating systems running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances using Jenkins agents with agent-to-controller security features enabled.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with agent access could extract malicious archives to arbitrary locations on the controller, leading to remote code execution, data theft, or complete system compromise.

🟠

Likely Case

Malicious agents could overwrite critical configuration files, install backdoors, or extract sensitive data from the controller filesystem.

🟢

If Mitigated

With proper agent-to-controller access controls, only authorized file operations would be permitted, limiting impact to intended functionality.

🌐 Internet-Facing: HIGH if Jenkins agents can be accessed from the internet, as this could allow external attackers to compromise the controller.
🏢 Internal Only: HIGH as internal malicious actors or compromised agents could exploit this vulnerability to escalate privileges and compromise the Jenkins controller.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to a Jenkins agent, but the vulnerability itself is straightforward to exploit once agent access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.319, Jenkins LTS 2.303.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Restart Required: Yes

Instructions:

1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.319 or later, or Jenkins LTS 2.303.3 or later. 3. Restart Jenkins. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable vulnerable file operations

all

Remove or restrict access to FilePath#unzip and FilePath#untar methods in Jenkins scripts and pipelines

Review and modify Jenkinsfiles and pipeline scripts to avoid using vulnerable file operations

Restrict agent permissions

all

Tighten agent-to-controller security settings to limit what agents can access

Configure agent security settings in Jenkins Manage Jenkins > Configure Global Security

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Jenkins agents from sensitive systems
  • Enable comprehensive logging and monitoring of all agent-to-controller file operations

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or via CLI with 'java -jar jenkins.war --version'

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify Jenkins version is 2.319 or later, or LTS 2.303.3 or later, and test that agent file operations are properly restricted

📡 Detection & Monitoring

Log Indicators:

  • Unusual file extraction operations from agents
  • Archive extraction to unexpected locations
  • Agent-initiated file writes to sensitive paths

Network Indicators:

  • Unexpected agent-to-controller file transfer patterns
  • Archive files being sent from agents to controller

SIEM Query:

source="jenkins.log" AND ("unzip" OR "untar" OR "extract") AND agent_activity=true

📊 Metadata

CVE ID: CVE-2021-21689
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: November 4, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON