CVE-2021-21623

Name of the Vulnerable Software and Affected Versions Jenkins Matrix Authorization Strategy Plugin versions 2.6.5 and earlier

Description The issue arises from an incorrect permission check, allowing attackers with Item/Read permission on nested items to access them even if they lack Item/Read permission for parent folders. In a hierarchical organization of items in Jenkins, an item is expected to be accessible only if all its ancestors are accessible. However, the vulnerable plugin does not correctly perform these permission checks. This affects the accessibility of items, such as jobs, organized using the Folders Plugin or similar mechanisms.

Recommendations For Jenkins Matrix Authorization Strategy Plugin versions 2.6.5 and earlier, as a temporary workaround, do not grant Item/Read permissions on individual items to users who do not have access to parent items. Additionally, consider setting the Java system property hudson.security.AuthorizationMatrixProperty.checkParentPermissions to false to completely disable the incorrect permission check, although this should be done with caution. For a permanent fix, update to version 2.6.6 or later, which requires Item/Read permission on parent items to grant Item/Read permission on an individual item.