Login Sign Up

CVE-2021-21696

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers controlling Jenkins agent processes to replace trusted library files in the libs/ directory, leading to unauthenticated remote code execution on the Jenkins controller. It affects Jenkins versions 2.318 and earlier, and LTS 2.303.2 and earlier. Attackers can execute arbitrary code with controller privileges.

💻 Affected Systems

Products:
  • Jenkins
Versions: Jenkins 2.318 and earlier, Jenkins LTS 2.303.2 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: All Jenkins installations using FilePath APIs with agent processes are vulnerable by default.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller leading to full system takeover, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated remote code execution allowing attackers to steal credentials, modify builds, and compromise connected systems.

🟢

If Mitigated

Limited impact if agents are fully trusted and network segmentation prevents unauthorized access.

🌐 Internet-Facing: HIGH - Jenkins controllers exposed to the internet are directly exploitable by attackers.
🏢 Internal Only: HIGH - Internal attackers or compromised agents can exploit this to gain controller access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires control of an agent process, which can be achieved through various means including compromised build environments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.319, Jenkins LTS 2.303.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423

Restart Required: Yes

Instructions:

1. Backup Jenkins configuration and data. 2. Upgrade to Jenkins 2.319 or Jenkins LTS 2.303.3. 3. Restart Jenkins service. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Restrict agent permissions

all

Limit agent access to only necessary directories and implement strict agent trust policies.

# Configure agent security in Jenkins Manage Jenkins > Configure Global Security
# Set agent permissions to minimal required access

Network segmentation

all

Isolate Jenkins agents from sensitive networks and implement strict firewall rules.

# Configure firewall to restrict agent-controller communication
# Implement network segmentation between build environments and production

🧯 If You Can't Patch

  • Implement strict agent trust policies and audit all agent configurations
  • Isolate Jenkins controller network and implement application-level firewalls

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or run 'java -jar jenkins.war --version'

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify version is 2.319 or higher (or LTS 2.303.3 or higher) and test agent file access restrictions

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized file modifications in libs/ directories
  • Unexpected library loading in controller logs
  • Agent process anomalies

Network Indicators:

  • Unusual agent-controller file transfer patterns
  • Suspicious network connections from agents

SIEM Query:

source="jenkins.log" AND ("libs/" OR "FilePath") AND ("modif" OR "write" OR "replace")

📊 Metadata

CVE ID: CVE-2021-21696
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 4, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON