CVE-2021-21609Incorrect Authorization in Project Jenkins

CWE-863Incorrect Authorization6 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 64.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project JenkinsJenkins
Timeline
PublishedJan 13
Latest updateMay 24

Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDjenkins/jenkins2.263.1+1
CVEListV5jenkins_project/jenkinsunspecified2.274+1

🔴Vulnerability Details

3
OSV
Missing permission check for paths with specific prefix in Jenkins2022-05-24
GHSA
Missing permission check for paths with specific prefix in Jenkins2022-05-24
CVEList
CVE-2021-21609: Jenkins 22021-01-13

📋Vendor Advisories

2
Red Hat
jenkins: Missing permission check for paths with specific prefix2021-01-13
Jenkins
Jenkins Security Advisory 2021-01-132021-01-13
CVE-2021-21609 — Incorrect Authorization | cvebase