Severity |
|
Remote |
|
Type |
- |
Unknown |
+ |
Access restriction bypass |
|
Description |
+ |
Jenkins 2.299 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins 2.300 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission. |
+ |
|
+ |
As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission. |
|
References |
+ |
https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278 |
+ |
https://github.com/jenkinsci/jenkins/commit/86b7d7e789586575522650c60d591605facb1d70 |
|
Notes |
+ |
Workaround |
+ |
========== |
+ |
|
+ |
As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission. |
|