CVE-2021-21609 - log back

CVE-2021-21609 edited at 13 Jan 2021 15:13:30
References
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047
+ https://github.com/jenkinsci/jenkins/commit/fe9091fc74d55a56fd36544f3038d47c8cb331a4
CVE-2021-21609 edited at 13 Jan 2021 15:01:58
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Insufficient validation
Description
+ Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list. This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required: accessDenied, error, instance-identity, login, logout, oops, securityRealm, signup and tcpSlaveAgentListener. For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check. The Jenkins security team is not aware of any affected plugins as of the publication of this advisory. The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.
References
+ https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047
Notes
CVE-2021-21609 created at 13 Jan 2021 14:47:46