CVE-2021-21609
published 2021-01-13CVE-2021-21609: Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without…
PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
1.31%
67.0th percentile
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | anything_goes_formatter_plugin | — | — |
| jenkins | bumblebee_hp_alm_plugin | — | — |
| jenkins | jenkins | <= 2.263.1 | — |
| jenkins | jenkins | <= 2.274 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | tics_plugin | — | — |
| jenkins_project | jenkins | unspecified – 2.274 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jenkins: Missing permission check for paths with specific prefix
vendor_redhat·2021-01-13·CVSS 5.3
CVE-2021-21609 [MEDIUM] CWE-863 jenkins: Missing permission check for paths with specific prefix
jenkins: Missing permission check for paths with specific prefix
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.
Package: jenkins (Red Hat Fuse 7) - Not affected
Jenkins
Jenkins Security Advisory 2021-01-13
vendor_jenkins·2021-01-13·CVSS 5.4
CVE-2018-1000862 [MEDIUM] Jenkins Security Advisory 2021-01-13
Title: Jenkins Security Advisory 2021-01-13
Jenkins Security Advisory 2021-01-13
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Bumblebee HP ALM
Plugin
TICS
Plugin
tracetronic ecu.test
Plugin
Descriptions
XSS vulnerability in notification bar
SECURITY-1889
/
CVE-2021-21603
Severity (CV
OSV
Missing permission check for paths with specific prefix in Jenkins
osv·2022-05-24
CVE-2021-21609 [MEDIUM] Missing permission check for paths with specific prefix in Jenkins
Missing permission check for paths with specific prefix in Jenkins
Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.
This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:
- `accessDenied`
- `error`
- `instance-identity`
- `login`
- `logout`
- `oops`
- `securityRealm`
- `signup`
- `tcpSlaveAgentListener`
For example, a plugin contributing the path `loginFoo/` would have URLs in that space accessible without the default Overall/Read
GHSA
Missing permission check for paths with specific prefix in Jenkins
ghsa·2022-05-24
CVE-2021-21609 [MEDIUM] CWE-863 Missing permission check for paths with specific prefix in Jenkins
Missing permission check for paths with specific prefix in Jenkins
Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.
This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:
- `accessDenied`
- `error`
- `instance-identity`
- `login`
- `logout`
- `oops`
- `securityRealm`
- `signup`
- `tcpSlaveAgentListener`
For example, a plugin contributing the path `loginFoo/` would have URLs in that space accessible without the default Overall/Read
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-01-13
Published