CVE-2021-21685 Overview
CVE-2021-21685 is an authorization bypass vulnerability affecting Jenkins 2.318 and earlier, as well as LTS 2.303.2 and earlier. The vulnerability exists because Jenkins does not properly check agent-to-controller access when creating parent directories via the FilePath#mkdirs method. This missing access control check allows malicious agents to create arbitrary directories on the Jenkins controller, potentially leading to unauthorized file system manipulation and further exploitation.
Critical Impact
Unauthorized agents can bypass access controls to create directories on the Jenkins controller, potentially enabling path traversal attacks and unauthorized file system modifications that could compromise the entire CI/CD pipeline.
Affected Products
- Jenkins 2.318 and earlier
- Jenkins LTS 2.303.2 and earlier
Discovery Timeline
- 2021-11-04 - CVE-2021-21685 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21685
Vulnerability Analysis
This vulnerability falls under CWE-862 (Missing Authorization), representing a fundamental access control flaw in Jenkins' agent-to-controller security architecture. The FilePath#mkdirs method, which is used to create directory structures, fails to enforce the agent-to-controller access control mechanism that should restrict what actions connected agents can perform on the controller.
In Jenkins' distributed build architecture, agents (also known as slaves or nodes) connect to the controller to execute build jobs. The agent-to-controller security subsystem is designed to prevent malicious or compromised agents from performing unauthorized operations on the controller. However, this vulnerability bypasses these protections specifically for directory creation operations.
When an agent requests to create a directory structure using FilePath#mkdirs, the controller does not validate whether the agent should have permission to create the specified directories. This allows any connected agent—including potentially compromised ones—to create arbitrary directories on the controller's file system.
Root Cause
The root cause is the absence of access control checks in the FilePath#mkdirs method. While other file operations in Jenkins properly implement agent-to-controller access validation, the mkdirs functionality was not equipped with these security checks. This oversight allows the method to execute directory creation requests from agents without verifying that the requesting agent has appropriate permissions to perform such operations on the specified paths.
Attack Vector
This vulnerability is exploitable over the network by any authenticated agent connected to the Jenkins controller. An attacker who has compromised a Jenkins agent or has access to configure agent connections can exploit this flaw to create arbitrary directory structures on the controller.
The exploitation scenario involves:
- An attacker gains control of a Jenkins agent or creates a malicious agent configuration
- The malicious agent connects to the Jenkins controller
- The agent sends requests to create directories using the FilePath#mkdirs method
- The controller processes these requests without validating agent permissions
- Directories are created on the controller's file system as requested
This could be leveraged for path traversal attacks, preparing the file system for further exploitation, or disrupting Jenkins operations by creating conflicting directory structures.
Detection Methods for CVE-2021-21685
Indicators of Compromise
- Unexpected directory creation events on the Jenkins controller file system
- Unusual file system activity originating from agent-to-controller communications
- Directory structures appearing outside of expected workspace and build paths
- Agent communication logs showing mkdirs operations to sensitive paths
Detection Strategies
- Monitor Jenkins controller file system for unexpected directory creation events
- Implement file integrity monitoring on the Jenkins controller
- Review Jenkins agent connection logs for suspicious activity patterns
- Enable detailed audit logging for agent-to-controller operations
Monitoring Recommendations
- Configure SentinelOne to monitor the Jenkins controller for unauthorized file system modifications
- Set up alerts for directory creation operations outside of standard Jenkins paths
- Monitor network traffic between agents and controllers for anomalous patterns
- Implement centralized logging for all Jenkins agent activities
How to Mitigate CVE-2021-21685
Immediate Actions Required
- Update Jenkins to version 2.319 or later (or LTS 2.303.3 or later)
- Review and restrict agent-to-controller access controls in Jenkins configuration
- Audit existing agent connections and remove any untrusted or unnecessary agents
- Enable the Agent-to-Controller Security Subsystem and configure appropriate restrictions
Patch Information
Jenkins has addressed this vulnerability in Jenkins 2.319 and LTS 2.303.3. The fix implements proper access control checks in the FilePath#mkdirs method to ensure agent requests are validated against the agent-to-controller security policies. Detailed information is available in the Jenkins Security Advisory #SECURITY-2455.
Additional technical discussion can be found in the Openwall OSS-Security Post.
Workarounds
- If immediate patching is not possible, disconnect all untrusted agents from the controller
- Implement strict network segmentation between agents and the controller
- Use the Agent-to-Controller Security Subsystem to create restrictive whitelists for allowed operations
- Consider running agents in isolated environments or containers to limit potential impact
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
