CVE-2021-21683: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2021-21683 affects Jenkins 2.314 and earlier, and Jenkins LTS 2.303.1 and earlier versions. This path traversal vulnerability was discovered in the file browser component of Jenkins, specifically affecting Windows-based installations. The vulnerability was disclosed on October 6, 2021, and was assigned a medium severity rating (Jenkins Advisory, NVD).

The vulnerability stems from the file browser's handling of paths for workspaces, archived artifacts, and userContent/ directories on Windows systems. The file browser may incorrectly interpret some paths to files as absolute paths, leading to a path traversal vulnerability. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

When exploited, this vulnerability allows attackers with Overall/Read permission on Windows controllers or Job/Workspace permission on Windows agents to obtain the contents of arbitrary files on the system. This represents a significant information disclosure risk for affected Jenkins installations (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.315 and Jenkins LTS 2.303.2. In these versions, the file browser has been updated to refuse serving files that would be considered absolute paths. Organizations running affected versions should upgrade to these patched versions to mitigate the vulnerability (Jenkins Advisory).

The vulnerability was discovered and reported by Mümin Köykıran, demonstrating the active security research community's involvement in Jenkins security (Jenkins Advisory).