CVE-2021-21647

CWE-862Missing Authorization5 documents5 sources
Severity
4.3MEDIUM
EPSS
0.2%
top 62.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Cloudbees CD PluginJenkins Cloudbees CD
Timeline
PublishedApr 21
Latest updateMay 24

Description

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

CVEListV5jenkins_project/jenkins_cloudbees_cd_pluginunspecified1.1.21
Mavenorg.jenkins-ci.plugins:electricflow1.1.191.1.22+1

🔴Vulnerability Details

3
OSV
Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds2022-05-24
GHSA
Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds2022-05-24
CVEList
CVE-2021-21647: Jenkins CloudBees CD Plugin 12021-04-21

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2021-04-212021-04-21
CVE-2021-21647 (MEDIUM CVSS 4.3) | Jenkins CloudBees CD Plugin 1.1.21 | cvebase.io