Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.
Weakness
The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jenkins | Jenkins | * | 2.263.3 (excluding) |
| Jenkins | Jenkins | * | 2.276 (excluding) |
| Red Hat OpenShift Container Platform 4.5 | RedHat | conmon-2:2.0.21-1.rhaos4.5.el7 | * |
| Red Hat OpenShift Container Platform 4.5 | RedHat | jenkins-0:2.263.3.1612434332-1.el7 | * |
| Red Hat OpenShift Container Platform 4.5 | RedHat | machine-config-daemon-0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8 | * |
| Red Hat OpenShift Container Platform 4.5 | RedHat | openshift-0:4.5.0-202102050524.p0.git.0.9229406.el7 | * |
| Red Hat OpenShift Container Platform 4.5 | RedHat | openshift-ansible-0:4.5.0-202102031005.p0.git.0.c6839a2.el7 | * |
| Red Hat OpenShift Container Platform 4.5 | RedHat | openshift-clients-0:4.5.0-202102051529.p0.git.3612.61b096a.el7 | * |
| Red Hat OpenShift Container Platform 4.5 | RedHat | runc-0:1.0.0-72.rhaos4.5.giteadfc6b.el8 | * |
| Red Hat OpenShift Container Platform 4.6 | RedHat | jenkins-0:2.263.3.1612434510-1.el8 | * |