Arbitrary file read vulnerability in workspace browsers in Jenkins
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Dec 15, 2023
Package
Affected versions
<= 2.263.1
>= 2.264, <= 2.274
Patched versions
2.263.2
2.275
Description
Published by the National Vulnerability Database
Jan 13, 2021
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Jun 23, 2022
Last updated
Dec 15, 2023
The file browser for workspaces, archived artifacts, and
$JENKINS_HOME/userContent/
follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.
This issue is caused by an incomplete fix for SECURITY-904 / CVE-2018-1000862 in the 2018-12-08 security advisory.
Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.
This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.
References