CVE-2021-22112 log

Source
Severity High
Remote Yes
Type Privilege escalation
Description
A security issue was found in Jenkins 2.275 through 2.278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their identity to SYSTEM, an internal user with all permissions. The issue is caused by an embedded copy of Spring Security, which in version 5.4.3 and earlier has a vulnerability that unintentionally persisted temporarily elevated privileges in some circumstances in a user’s session. Jenkins 2.280 integrates Spring Security 5.4.4, which includes a fix for this issue.

Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users.
Group Package Affected Fixed Severity Status Ticket
AVG-1595 jenkins 2.279-1 2.280-1 High Fixed
References
https://www.jenkins.io/security/advisory/2021-02-19/#SECURITY-2195
https://github.com/jenkinsci/jenkins/pull/5285
https://github.com/jenkinsci/jenkins/commit/bc3052f32807232ba1c3aa8957ca55a06d84cbe3
Notes
Workaround
==========

Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users.