CVE-2021-21626

CWE-862 — Missing Authorization5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 91.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Warnings Next Generation Plugin Jenkins Warnings Next Generation

Timeline

PublishedMar 18

Latest updateMay 24

Description

Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_warnings_next_generation_pluginunspecified — 8.4.4

▶NVDjenkins/warnings_next_generation8.4.4

▶Mavenio.jenkins.plugins:warnings-ng< 8.5.0

🔴Vulnerability Details

GHSA

Missing permission checks in Jenkins Warnings Next Generation Plugin allow listing workspace contents↗2022-05-24

▶

OSV

Missing permission checks in Jenkins Warnings Next Generation Plugin allow listing workspace contents↗2022-05-24

▶

CVEList

CVE-2021-21626: Jenkins Warnings Next Generation Plugin 8↗2021-03-18

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2021-03-18↗2021-03-18

▶