CVE-2021-21623 — Incorrect Authorization in Project Jenkins Matrix Authorization Strategy Plugin

CWE-863 — Incorrect Authorization CWE-273 — Improper Check for Dropped Privileges5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 72.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Matrix Authorization Strategy Plugin Jenkins Matrix Authorization Strategy Jenkins AWS Credentials Plugin +5 more

Timeline

PublishedMar 18

Latest updateMay 24

Description

An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

▶CVEListV5jenkins_project/jenkins_matrix_authorization_strategy_pluginunspecified — 2.6.5

▶jenkinsjenkins/matrix_authorization_strategy_plugin

▶NVDjenkins/matrix_authorization_strategy2.6.5

▶jenkinsjenkins/role-based_authorization_strategy_plugin

▶jenkinsjenkins/folders_plugin

🔴Vulnerability Details

OSV

Incorrect permission checks in Jenkins Matrix Authorization Strategy Plugin may allow accessing some items↗2022-05-24

▶

GHSA

Incorrect permission checks in Jenkins Matrix Authorization Strategy Plugin may allow accessing some items↗2022-05-24

▶

📋Vendor Advisories

Red Hat

jenkins-2-plugins/matrix-auth: Incorrect permission checks in Matrix Authorization Strategy Plugin↗2021-03-18

▶

Jenkins

Jenkins Security Advisory 2021-03-18↗2021-03-18

▶