CVE-2021-21694: 
Java vulnerability analysis and mitigation

CVE-2021-21694 is a security vulnerability discovered in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier, where several FilePath methods (toURI, hasSymlink, absolutize, isDescendant, and get*DiskSpace) did not perform any permission checks. This vulnerability was part of a larger set of critical security issues in Jenkins' agent-to-controller security subsystem that affected file path filtering implementation (Jenkins Advisory).

The vulnerability specifically affects the FilePath API methods in Jenkins, where toURI, hasSymlink, absolutize, isDescendant, and get*DiskSpace methods failed to implement proper permission checks. This was part of a critical vulnerability set that allowed agent processes to potentially read and write arbitrary files on the Jenkins controller file system. The issue has been present since approximately 2014 when SECURITY-144 was addressed (Jenkins Advisory).

The vulnerability could allow attackers with control over agent processes to bypass the agent-to-controller security subsystem, potentially gaining unauthorized access to read and write arbitrary files on the Jenkins controller file system, and obtain information about Jenkins controller file systems (Jenkins Advisory).

The vulnerability was fixed in Jenkins 2.319 and LTS 2.303.3, where FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, and FilePath#isDescendant now check stat permission, and FilePath#get*DiskSpace methods are no longer allowed to be executed by an agent. For users unable to upgrade immediately, installing the Remoting Security Workaround Plugin is recommended as a temporary solution, though this plugin is more restrictive and may cause compatibility issues with other plugins (Jenkins Advisory).