{
  "threat_severity" : "Important",
  "public_date" : "2021-11-04T14:20:00Z",
  "bugzilla" : {
    "description" : "jenkins: Creating symbolic links is possible without the symlink permission",
    "id" : "2020338",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2020338"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-276",
  "details" : [ "Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.", "A vulnerability was found in Jenkins which failed to correctly validate permissions. This flaw allowed any user to create symbolic links regardless if they had the symlink permission. It may allow an attacker to read and write to arbitrary files on the Jenkins controller file system." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2021-12-02T00:00:00Z",
    "advisory" : "RHSA-2021:4827",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "jenkins-0:2.303.3.1637698110-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2021-12-02T00:00:00Z",
    "advisory" : "RHSA-2021:4799",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el8",
    "package" : "jenkins-0:2.303.3.1637597493-1.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.7",
    "release_date" : "2021-12-01T00:00:00Z",
    "advisory" : "RHSA-2021:4801",
    "cpe" : "cpe:/a:redhat:openshift:4.7::el8",
    "package" : "jenkins-0:2.303.3.1637597018-1.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.8",
    "release_date" : "2021-11-30T00:00:00Z",
    "advisory" : "RHSA-2021:4829",
    "cpe" : "cpe:/a:redhat:openshift:4.8::el8",
    "package" : "jenkins-0:2.303.3.1637596565-1.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.9",
    "release_date" : "2021-11-29T00:00:00Z",
    "advisory" : "RHSA-2021:4833",
    "cpe" : "cpe:/a:redhat:openshift:4.9::el8",
    "package" : "jenkins-0:2.303.3.1637595827-1.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-21691\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21691\nhttps://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455" ],
  "name" : "CVE-2021-21691",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}