CVE-2021-21624

Name of the Vulnerable Software and Affected Versions Jenkins Role-based Authorization Strategy Plugin versions 3.1 and earlier

Description The issue arises from an incorrect permission check, allowing attackers with Item/Read permission on nested items to access them even if they lack Item/Read permission for parent folders. In a hierarchical setup using the Folders Plugin, an item should only be accessible if all its ancestors are accessible. However, the vulnerable plugin does not correctly perform these permission checks. This affects the accessibility of items like jobs, potentially exposing them to unauthorized access. There are no reported real-world incidents or estimated numbers of affected devices available.

Recommendations For Jenkins Role-based Authorization Strategy Plugin versions 3.1 and earlier, as a temporary workaround, do not grant Item/Read permissions on individual items to users who do not have access to parent items. Additionally, consider setting the Java system property com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.checkParentPermissions to false to completely disable the incorrect permission check, although this should be used with caution. For a permanent fix, update to version 3.1.1 or later, which requires Item/Read permission on parent items to grant Item/Read permission on an individual item.