CVE-2021-21670 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.289.2 || >=2.292 <2.300

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00359 pctl0.57386

Details

Improper permission checks allow canceling queue items and aborting builds in Jenkins Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission. As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.

Metadata

Created: 2022-05-24T19:06:36Z
Modified: 2022-12-16T15:22:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q4wp-8c99-69pw/GHSA-q4wp-8c99-69pw.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-q4wp-8c99-69pw
Finding: F006
Auto approve: 1