| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Privilege escalation |
|
| Description |
| + |
A security issue was found in Jenkins 2.275 through 2.278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their identity to SYSTEM, an internal user with all permissions. The issue is caused by an embedded copy of Spring Security, which in version 5.4.3 and earlier has a vulnerability that unintentionally persisted temporarily elevated privileges in some circumstances in a user’s session. Jenkins 2.280 integrates Spring Security 5.4.4, which includes a fix for this issue. |
| + |
|
| + |
Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users. |
|
| References |
| + |
https://www.jenkins.io/security/advisory/2021-02-19/#SECURITY-2195 |
| + |
https://github.com/jenkinsci/jenkins/pull/5285 |
| + |
https://github.com/jenkinsci/jenkins/commit/bc3052f32807232ba1c3aa8957ca55a06d84cbe3 |
|
| Notes |
| + |
Workaround |
| + |
========== |
| + |
|
| + |
Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users. |
|