CVE-2021-21688: 
Java vulnerability analysis and mitigation

CVE-2021-21688 affects Jenkins 2.318 and earlier, LTS 2.303.2 and earlier, where the agent-to-controller security check FilePath#reading(FileVisitor) does not reject any operations, allowing users to have unrestricted read access using certain operations like creating archives and FilePath#copyRecursiveTo. This vulnerability is part of a larger set of critical security issues in Jenkins' agent-to-controller security subsystem (Jenkins Advisory).

The vulnerability exists in the file path filtering implementation of Jenkins' agent-to-controller security subsystem. Specifically, the FilePath#reading(FileVisitor) method fails to properly enforce access controls, which allows unrestricted read access through specific operations such as archive creation and FilePath#copyRecursiveTo. The vulnerability has a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows attackers with access to agent processes to bypass intended file access restrictions and gain unrestricted read access to files on the Jenkins controller file system. This could potentially expose sensitive information stored on the Jenkins controller (Jenkins Advisory).

The vulnerability is fixed in Jenkins 2.319 and LTS 2.303.3, where FilePath#reading(FileVisitor) correctly rejects operations if they operate on files outside allowed directories. For users unable to immediately upgrade, installing the Remoting Security Workaround Plugin is recommended as a temporary solution, though this plugin is more restrictive and may cause incompatibility with some plugins (Jenkins Advisory).