CVE-2021-21690: 
Java vulnerability analysis and mitigation

CVE-2021-21690 is part of a critical set of vulnerabilities discovered in Jenkins' agent-to-controller security subsystem. The vulnerability was disclosed on November 4, 2021, affecting Jenkins 2.318 and earlier, and LTS 2.303.2 and earlier versions. This specific vulnerability allows agent processes to completely bypass file path filtering by wrapping the file operation in an agent file path (Jenkins Advisory).

The vulnerability is part of SECURITY-2486 and relates to the file path filtering implementation in Jenkins. Agent processes could completely bypass the file path filtering mechanism by wrapping file operations in an agent file path, which compromised the agent-to-controller security subsystem that normally limits which files on the Jenkins controller can be accessed by agent processes. The vulnerability has been present since SECURITY-144 was addressed in the 2014-10-30 security advisory (Jenkins Advisory).

This vulnerability allows attackers with control over agent processes to read and write arbitrary files on the Jenkins controller file system, potentially compromising the security of the entire Jenkins installation. The severity is rated as Critical due to the potential for unauthorized access to sensitive files and possible system compromise (Jenkins Advisory).

The vulnerability was fixed in Jenkins 2.319 and LTS 2.303.3, where agent processes are no longer able to bypass file path filtering through this method. For users unable to immediately upgrade, installing the Remoting Security Workaround Plugin is recommended as a temporary solution, though this plugin is more restrictive and may cause incompatibility with some other plugins (Jenkins Advisory, Red Hat).