CVE-2021-21695 – This vulnerability in Jenkins allows agents to ... (How to Fix)

Q: What is the severity of CVE-2021-21695?

CVE-2021-21695 has a CVSS score of 8.8 (HIGH). This vulnerability in Jenkins allows agents to access files outside their permitted directories by exploiting symbolic links. Attackers can read sensitive files on the Jenkins controller, potentially exposing credentials, configuration data, or source code. It affects Jenkins 2.318 and earlier, and LTS 2.303.2 and earlier.

📋 TL;DR

This vulnerability in Jenkins allows agents to access files outside their permitted directories by exploiting symbolic links. Attackers can read sensitive files on the Jenkins controller, potentially exposing credentials, configuration data, or source code. It affects Jenkins 2.318 and earlier, and LTS 2.303.2 and earlier.

💻 Affected Systems

Products:

Jenkins

Versions: Jenkins 2.318 and earlier, Jenkins LTS 2.303.2 and earlier

Operating Systems: All operating systems running affected Jenkins versions

Default Config Vulnerable: ⚠️ Yes

Notes: All Jenkins installations with the affected versions are vulnerable by default when using agents with file system access.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller with exposure of all files, including credentials, SSH keys, and sensitive configuration data, potentially leading to lateral movement in the environment.

🟠

Likely Case

Unauthorized reading of sensitive files on the Jenkins controller, exposing credentials, API keys, and configuration secrets that could be used for further attacks.

🟢

If Mitigated

Limited impact with proper agent isolation and file system permissions preventing access to critical system files.

🌐 Internet-Facing: MEDIUM - Jenkins instances exposed to the internet are vulnerable if agents can be controlled by attackers, but exploitation requires agent access.

🏢 Internal Only: HIGH - Internal attackers or compromised agents can exploit this to escalate privileges and access sensitive files on the controller.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires control over a Jenkins agent or ability to create/modify symbolic links through agent operations. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.319, Jenkins LTS 2.303.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Restart Required: Yes

Instructions:

1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.319 or later, or Jenkins LTS 2.303.3 or later. 3. Restart Jenkins service. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict agent file system access

all

Limit agent permissions to prevent file system operations that could exploit symbolic links

Configure agent security settings to restrict file system access in Jenkins security configuration

Disable symbolic link following

all

Configure Jenkins to not follow symbolic links in agent operations

Set system property -Dhudson.FilePath.disabledSymlinkSupport=true in Jenkins startup parameters

🧯 If You Can't Patch

Implement strict agent isolation and limit agent permissions to minimal required access
Monitor for suspicious file access patterns and implement file integrity monitoring on Jenkins controller

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or via CLI with 'java -jar jenkins.war --version'

Check Version:

java -jar jenkins.war --version 2>&1 | head -1

Verify Fix Applied:

Verify Jenkins version is 2.319 or later, or LTS 2.303.3 or later, and test that agents cannot access files outside permitted directories

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from agents
Access to files outside agent workspace directories
Security audit logs showing file path traversal attempts

Network Indicators:

Unusual agent-to-controller file transfer patterns
Large data exfiltration from Jenkins controller

SIEM Query:

source="jenkins.log" AND ("FilePath" OR "symbolic link" OR "directory traversal") AND ("access denied" OR "permission error")

📊 Metadata

CVE ID: CVE-2021-21695

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: November 4, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/11/04/3 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/11/04/3 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21695, you might also want to check these: