CVE-2021-21686: 
Java vulnerability analysis and mitigation

CVE-2021-21686 is a security vulnerability discovered in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier, where file path filters in the agent-to-controller security subsystem do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. This vulnerability was part of a larger set of security issues (SECURITY-2455) affecting Jenkins' agent-to-controller access control system (Jenkins Advisory).

The vulnerability exists in the file path filtering implementation of Jenkins' agent-to-controller security subsystem. The issue stems from the lack of path canonicalization in file path filters, which allows agent processes to perform operations that follow symbolic links to directories outside the permitted scope. This vulnerability has been present since SECURITY-144 was addressed in the 2014-10-30 security advisory. The CVSS v3.1 base score for this vulnerability is 8.1 (HIGH), with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (NVD).

The vulnerability allows agent processes to bypass intended directory restrictions by following symbolic links, potentially enabling unauthorized access to files outside allowed directories on the Jenkins controller file system. This could lead to unauthorized read and write access to sensitive files on the Jenkins controller (Jenkins Advisory).

The vulnerability was fixed in Jenkins 2.319 and LTS 2.303.3, where file path filters now properly canonicalize paths, preventing operations from following symbolic links to outside allowed directories. For users unable to immediately upgrade, the Remoting Security Workaround Plugin can be installed as a temporary solution, which prevents all agent-to-controller file access using FilePath APIs. However, this plugin is more restrictive and may cause incompatibility with some plugins (Jenkins Advisory).