CVE-2021-21687
Description
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier fails to check agent-to-controller access when creating symbolic links via FilePath#untar, allowing arbitrary file read/write.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier fails to check agent-to-controller access when creating symbolic links via FilePath#untar, allowing arbitrary file read/write.
Vulnerability
Jenkins core versions 2.318 and earlier, and LTS 2.303.2 and earlier, do not properly check agent-to-controller access permissions when creating symbolic links during the unarchiving process in the FilePath#untar method. Specifically, when extracting a tar archive containing a symbolic link, the method does not verify that the agent has permission to create that link, potentially allowing operations outside allowed directories [1][2].
Exploitation
An attacker with agent control (e.g., a malicious agent or a compromised agent) can craft a tar archive containing symbolic links that point to sensitive files on the Jenkins controller file system. When the agent triggers the FilePath#untar operation on the controller, the symbolic link is created without proper access control checks, enabling the attacker to later read or write to those paths via other file operations [1].
Impact
Successful exploitation allows an attacker to bypass the agent-to-controller access control subsystem and achieve arbitrary read and write access to files on the Jenkins controller file system. This can lead to full compromise of the Jenkins controller, including disclosure of secrets, credentials, and potential remote code execution [1][2].
Mitigation
The vulnerability is fixed in Jenkins 2.319 and LTS 2.303.3. Users should upgrade to these versions or later. No workarounds are available. Jenkins has also released a security advisory detailing the issue [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 2.303.3 | 2.303.3 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.304, < 2.319 | 2.319 |
Affected products
3- osv-coords2 versions
< 2.319.0+ 1 more
- (no CPE)range: < 2.319.0
- (no CPE)range: < 2.303.3
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3q84-vrvx-rfvfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21687ghsaADVISORY
- www.jenkins.io/security/advisory/2021-11-04/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2021-11-04Jenkins Security Advisories · Nov 4, 2021