Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-pxgq-gqr9-5gwx

GitHub Security Advisory

Path traversal vulnerability in Jenkins agent names

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated `config.xml` files. If the global `config.xml` file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.

Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.

In case of problems, this change can be reverted by setting the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `jenkins.model.Nodes.enforceNameRestrictions` to `false`.

Affected Packages

Maven org.jenkins-ci.main:jenkins-core
Affected versions: 0 (fixed in 2.263.2)
Maven org.jenkins-ci.main:jenkins-core
Affected versions: 2.264 (fixed in 2.275)

Related CVEs

CVE-2021-21605

Key Information

GHSA ID
GHSA-pxgq-gqr9-5gwx
Published
May 24, 2022 5:39 PM
Last Modified
December 13, 2022 3:18 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.jenkins-ci.main:jenkins-core
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.