CVE-2021-21609

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.274 and earlier, LTS versions 2.263.1 and earlier

Description The issue allows attackers without Overall/Read permission to access some URLs as if they had Overall/Read permission due to incorrect matching of requested URLs to the list of always accessible paths. This affects URLs with specific prefixes such as accessDenied, error, instance-identity, login, logout, oops, securityRealm, signup, and tcpSlaveAgentListener. The comparison of requested URLs with the list of always accessible URLs has been fixed in Jenkins 2.275, LTS 2.263.2.

Recommendations For Jenkins versions 2.274 and earlier, LTS versions 2.263.1 and earlier, update to Jenkins 2.275, LTS 2.263.2 or later to resolve the issue. As a temporary workaround, consider restricting access to plugin-provided URLs with the mentioned prefixes until a patch is available. In case the update causes problems, additional paths can be made accessible without Overall/Read permissions by using the Java system property jenkins.model.Jenkins.additionalReadablePaths to specify a comma-separated list of additional path prefixes to allow access to.