CVE-2021-21670 - log back

CVE-2021-21670 edited at 01 Jul 2021 09:40:09
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Access restriction bypass
Description
+ Jenkins 2.299 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins 2.300 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission.
+
+ As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.
References
+ https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278
+ https://github.com/jenkinsci/jenkins/commit/86b7d7e789586575522650c60d591605facb1d70
Notes
+ Workaround
+ ==========
+
+ As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.
CVE-2021-21670 created at 01 Jul 2021 09:37:13