CVE-2021-21697 Overview
CVE-2021-21697 is a critical authorization bypass vulnerability affecting Jenkins automation server that allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions. This vulnerability represents a significant security gap in Jenkins' agent-to-controller access control mechanisms, potentially allowing compromised or malicious agents to access sensitive build artifacts, credentials, and configuration data across the entire Jenkins instance.
Critical Impact
Compromised Jenkins agents can read and modify any build directory contents, potentially exposing sensitive credentials, source code, and build artifacts while enabling supply chain attacks through build manipulation.
Affected Products
- Jenkins versions 2.318 and earlier
- Jenkins LTS versions 2.303.2 and earlier
- All Jenkins installations utilizing build agents
Discovery Timeline
- 2021-11-04 - CVE-2021-21697 published to NVD
- 2021-11-04 - Jenkins releases security advisory (SECURITY-2428)
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21697
Vulnerability Analysis
This vulnerability exists in Jenkins' Agent-to-Controller Access Control system, which is designed to limit what agents can do on the controller. The flaw allows any connected agent to bypass intended access restrictions and gain unauthorized read and write access to build directories stored on the Jenkins controller.
Build directories in Jenkins contain highly sensitive information including build logs, archived artifacts, workspace contents, and potentially exposed credentials or secrets used during the build process. An attacker who has compromised a Jenkins agent, or an insider with access to an agent, can exploit this vulnerability to exfiltrate sensitive data from other projects' builds or inject malicious content into build artifacts.
The vulnerability is particularly dangerous in shared Jenkins environments where multiple teams or projects share the same Jenkins instance with different trust levels. A low-privilege agent associated with one project could potentially access or tamper with builds from other, more sensitive projects.
Root Cause
The root cause stems from insufficient access control enforcement in the agent-to-controller security subsystem. Jenkins failed to properly restrict file system operations initiated by agents to only the directories associated with their assigned builds. The missing authorization checks allowed agents to specify arbitrary paths within the build directory structure, bypassing the intended isolation between different builds and projects.
Attack Vector
The attack is network-based and can be executed by any connected Jenkins agent. An attacker would need to either compromise an existing agent or deploy a malicious agent that connects to the target Jenkins controller. Once connected, the malicious agent can issue requests to read or write files in any build directory.
The attack does not require user interaction and can be automated. Attack scenarios include:
- Data Exfiltration: Reading build artifacts, logs, or temporarily stored credentials from other projects
- Build Tampering: Modifying build artifacts to inject malicious code into software deliverables
- Credential Theft: Accessing secrets that may be written to build directories during pipeline execution
- Supply Chain Attacks: Manipulating build outputs to compromise downstream consumers of Jenkins-built artifacts
Detection Methods for CVE-2021-21697
Indicators of Compromise
- Unusual file access patterns in Jenkins build directories by agents not associated with those builds
- Agent connections from unexpected network locations or IP addresses
- Anomalous read/write operations to build directories outside an agent's assigned workspace
- Unexpected modifications to build artifacts or archived files
Detection Strategies
- Monitor Jenkins controller logs for agent file operations accessing directories outside their designated workspace
- Implement file integrity monitoring on Jenkins build directories to detect unauthorized modifications
- Review agent connection logs for unauthorized or suspicious agent registrations
- Deploy network monitoring to detect data exfiltration from the Jenkins controller
Monitoring Recommendations
- Enable detailed audit logging for all agent-to-controller communications
- Configure alerts for cross-project build directory access attempts
- Implement periodic reviews of agent registration and their associated credentials
- Monitor for changes to build artifacts after builds have completed
How to Mitigate CVE-2021-21697
Immediate Actions Required
- Upgrade Jenkins to version 2.319 or later immediately
- For LTS users, upgrade to Jenkins LTS 2.303.3 or later
- Review and audit all connected agents for unauthorized access or compromise
- Rotate any credentials that may have been exposed in build directories
Patch Information
Jenkins has addressed this vulnerability in the following releases:
- Jenkins weekly: Version 2.319 and later
- Jenkins LTS: Version 2.303.3 and later
The fix implements proper access control checks to ensure agents can only access build directories associated with their assigned builds. Administrators should consult the Jenkins Security Advisory #SECURITY-2428 for complete details on the patch and any additional configuration requirements.
Workarounds
- Restrict network access to the Jenkins controller to limit which systems can connect as agents
- Review and minimize the number of connected agents to reduce the attack surface
- Implement network segmentation to isolate Jenkins infrastructure from less trusted networks
- Consider running sensitive builds on dedicated, isolated Jenkins instances until patching is complete
- Enable and review Agent-to-Controller Access Control settings in Jenkins configuration
# Verify Jenkins version after patching
java -jar jenkins-cli.jar -s http://localhost:8080/ version
# Expected output should show 2.319+ or LTS 2.303.3+
# Review connected agents
java -jar jenkins-cli.jar -s http://localhost:8080/ list-node
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
