Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xNHdwLThjOTktNjlwd84AAo_d
Improper permission checks allow canceling queue items and aborting builds in Jenkins
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission.
As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.
Permalink: https://github.com/advisories/GHSA-q4wp-8c99-69pwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNHdwLThjOTktNjlwd84AAo_d
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-q4wp-8c99-69pw, CVE-2021-21670
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21670
- https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278
- http://www.openwall.com/lists/oss-security/2021/06/30/1
- https://github.com/jenkinsci/jenkins/commit/86b7d7e789586575522650c60d591605facb1d70
- https://github.com/advisories/GHSA-q4wp-8c99-69pw
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.292, <= 2.299, <= 2.289.1Fixed in: 2.300, 2.289.2