Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NjI1LXE1MnctMzljeM4AAnOJ
Missing permission check for paths with specific prefix in Jenkins
Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.
This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:
accessDenied
error
instance-identity
login
logout
oops
securityRealm
signup
tcpSlaveAgentListener
For example, a plugin contributing the path loginFoo/
would have URLs in that space accessible without the default Overall/Read permission check.
The Jenkins security team is not aware of any affected plugins as of the publication of this advisory.
The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.
In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The Java system property jenkins.model.Jenkins.additionalReadablePaths
is a comma-separated list of additional path prefixes to allow access to.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NjI1LXE1MnctMzljeM4AAnOJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-4625-q52w-39cx, CVE-2021-21609
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21609
- https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047
- https://github.com/jenkinsci/jenkins/commit/fe9091fc74d55a56fd36544f3038d47c8cb331a4
- https://github.com/advisories/GHSA-4625-q52w-39cx
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.264, <= 2.274, <= 2.263.1Fixed in: 2.275, 2.263.2