CVE-2021-21651

CWE-862 — Missing Authorization5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 79.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins S3 Publisher Plugin Jenkins S3 Publisher

Timeline

PublishedMay 11

Latest updateJun 16

Description

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_s3_publisher_pluginunspecified — 0.11.6

▶Mavenorg.jenkins-ci.plugins:s30.11.6 — 0.11.7+1

▶NVDjenkins/s3_publisher0.11.6

🔴Vulnerability Details

GHSA

Missing Authorization in Jenkins S3 publisher Plugin↗2021-06-16

▶

OSV

Missing Authorization in Jenkins S3 publisher Plugin↗2021-06-16

▶

CVEList

CVE-2021-21651: Jenkins S3 publisher Plugin 0↗2021-05-11

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2021-05-11↗2021-05-11

▶