CVE-2021-21604 - log back

CVE-2021-21604 edited at 13 Jan 2021 15:11:49
References
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923
+ https://github.com/jenkinsci/jenkins/commit/f1056bd814fc1f19ea241a101d649b8c143807e7
CVE-2021-21604 edited at 13 Jan 2021 14:54:45
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Incorrect calculation
Description
+ Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted. This allows attackers with View/Create, Job/Create, Agent/Create, or their respective */Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator. Jenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore.
References
+ https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923
Notes
CVE-2021-21604 created at 13 Jan 2021 14:47:46