CVE-2021-21670 log
| Source |
|
| Severity | Medium |
| Remote | Yes |
| Type | Access restriction bypass |
| Description | Jenkins 2.299 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins 2.300 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission. As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-2118 | jenkins | 2.299-1 | 2.300-1 | High | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 01 Jul 2021 | ASA-202107-5 | AVG-2118 | jenkins | High | multiple issues |
| References |
|---|
https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278 https://github.com/jenkinsci/jenkins/commit/86b7d7e789586575522650c60d591605facb1d70 |
| Notes |
|---|
Workaround ========== As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission. |