PT-2021-14713 · Jenkins · Jenkins
Angã©Lique Jard
·
Published
2021-06-30
·
Updated
2024-03-06
·
CVE-2021-21670
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins versions 2.299 and earlier
Jenkins LTS versions 2.289.1 and earlier
Description
The issue allows users to cancel queue items and abort builds of jobs for which they have
Item/Cancel permission even when they do not have Item/Read permission. This can be exploited by users with Item/Cancel permission to affect jobs without having the necessary Item/Read permission.Recommendations
For Jenkins versions 2.299 and earlier, do not grant
Item/Cancel permission to users who do not have Item/Read permission as a workaround.
For Jenkins LTS versions 2.289.1 and earlier, do not grant Item/Cancel permission to users who do not have Item/Read permission as a workaround.Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins