CVE-2021-21695: 
Java vulnerability analysis and mitigation

CVE-2021-21695 is a security vulnerability discovered in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier, where FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links. This vulnerability was part of a larger set of critical vulnerabilities in the agent-to-controller security subsystem that affected Jenkins' file path filtering implementation (Jenkins Advisory).

The vulnerability exists in the FilePath#listFiles implementation where the system fails to properly check stat permissions on files it returns, allowing the listing of files outside allowed directories when following symbolic links. This was one of multiple vulnerabilities in Jenkins' agent-to-controller security subsystem that could allow agent processes to read and write arbitrary files on the Jenkins controller file system (Jenkins Advisory).

This vulnerability could allow attackers with control over agent processes to list files outside of their permitted directories on the Jenkins controller file system, potentially exposing sensitive information. The issue was rated as part of a Critical severity group of vulnerabilities affecting the agent-to-controller security subsystem (Jenkins Advisory).

The vulnerability was fixed in Jenkins 2.319 and LTS 2.303.3, where FilePath#listFiles now checks stat permission on files it returns, preventing listing of files outside allowed directories. For users unable to immediately upgrade, installing the Remoting Security Workaround Plugin is recommended as a temporary solution, though this plugin is more restrictive and may cause incompatibility with some other plugins (Jenkins Advisory).