CVE-2021-22112 - log back

CVE-2021-22112 edited at 19 Feb 2021 15:09:52
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Privilege escalation
Description
+ A security issue was found in Jenkins 2.275 through 2.278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their identity to SYSTEM, an internal user with all permissions. The issue is caused by an embedded copy of Spring Security, which in version 5.4.3 and earlier has a vulnerability that unintentionally persisted temporarily elevated privileges in some circumstances in a user’s session. Jenkins 2.280 integrates Spring Security 5.4.4, which includes a fix for this issue.
+
+ Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users.
References
+ https://www.jenkins.io/security/advisory/2021-02-19/#SECURITY-2195
+ https://github.com/jenkinsci/jenkins/pull/5285
+ https://github.com/jenkinsci/jenkins/commit/bc3052f32807232ba1c3aa8957ca55a06d84cbe3
Notes
+ Workaround
+ ==========
+
+ Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users.
CVE-2021-22112 created at 19 Feb 2021 15:01:16