Subject: [ASA-202107-5] jenkins: multiple issues Arch Linux Security Advisory ASA-202107-5 ========================================= Severity: High Date : 2021-07-01 CVE-ID : CVE-2021-21670 CVE-2021-21671 Package : jenkins Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2118 Summary ======= The package jenkins before version 2.300-1 is vulnerable to multiple issues including authentication bypass and access restriction bypass. Resolution ========== Upgrade to 2.300-1. # pacman -Syu "jenkins>=2.300-1" The problems have been fixed upstream in version 2.300. Workaround ========== As a workaround for CVE-2021-21670, do not grant Item/Cancel permission to users who do not have Item/Read permission. No known workaround exists for CVE-2021-21671. Description =========== - CVE-2021-21670 (access restriction bypass) Jenkins 2.299 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins 2.300 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission. As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission. - CVE-2021-21671 (authentication bypass) Jenkins 2.299 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. Jenkins 2.300 invalidates the existing session on login. Impact ====== A remote attacker could login into an expired user session. Additionally, users could cancel queue items and abort builds for which they do not have Item/Read permission. References ========== https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278 https://github.com/jenkinsci/jenkins/commit/86b7d7e789586575522650c60d591605facb1d70 https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371 https://github.com/jenkinsci/jenkins/commit/25a42f3942fd9f8bd768c887c679dbc796b4fcd5 https://security.archlinux.org/CVE-2021-21670 https://security.archlinux.org/CVE-2021-21671