CVE-2021-21670 log

Source
Severity Medium
Remote Yes
Type Access restriction bypass
Description
Jenkins 2.299 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins 2.300 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission.

As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.
Group Package Affected Fixed Severity Status Ticket
AVG-2118 jenkins 2.299-1 2.300-1 High Fixed
Date Advisory Group Package Severity Type
01 Jul 2021 ASA-202107-5 AVG-2118 jenkins High multiple issues
References
https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278
https://github.com/jenkinsci/jenkins/commit/86b7d7e789586575522650c60d591605facb1d70
Notes
Workaround
==========

As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.