CVE-2021-21670
published 2021-06-30CVE-2021-21670: Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
1.98%
78.1th percentile
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | cas_plugin | — | — |
| jenkins | jenkins | < 2.289.2 | 2.289.2 |
| jenkins | jenkins | < 2.300 | 2.300 |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | selenium_html_report_plugin | — | — |
| jenkins_project | jenkins | unspecified – 2.299 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2021-06-30
vendor_jenkins·2021-06-30·CVSS 4.3
CVE-2021-21670 [MEDIUM] Jenkins Security Advisory 2021-06-30
Title: Jenkins Security Advisory 2021-06-30
Jenkins Security Advisory 2021-06-30
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
CAS
Plugin
requests-plugin
Plugin
requests-plugin
Plugin
requests-plugin
Plugin
Selenium HTML report
Plugin
Descriptions
Improper permission checks allow
Red Hat
jenkins: improper permission checks allow canceling queue items and aborting builds
vendor_redhat·2021-06-30·CVSS 4.3
CVE-2021-21670 [MEDIUM] CWE-863 jenkins: improper permission checks allow canceling queue items and aborting builds
jenkins: improper permission checks allow canceling queue items and aborting builds
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
Incorrect Authorization vulnerability was found in Jenkins. Users with Item/Cancel permission are able to cancel queue items and abort builds of jobs even when they do not have Item/Read permission.
Mitigation: As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.
Package: jenkins (Red Hat Fuse 7) - Not affected
Package: jenkins (Red Hat OpenShift Container Platform 3.11) - Will not fix
OSV
Improper permission checks allow canceling queue items and aborting builds in Jenkins
osv·2022-05-24
CVE-2021-21670 [MEDIUM] Improper permission checks allow canceling queue items and aborting builds in Jenkins
Improper permission checks allow canceling queue items and aborting builds in Jenkins
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission.
As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.
GHSA
Improper permission checks allow canceling queue items and aborting builds in Jenkins
ghsa·2022-05-24
CVE-2021-21670 [MEDIUM] CWE-863 Improper permission checks allow canceling queue items and aborting builds in Jenkins
Improper permission checks allow canceling queue items and aborting builds in Jenkins
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission.
As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-06-30
Published