Lucene search

ArchLinuxASA-202107-5

HistoryJul 01, 2021 - 12:00 a.m.

[ASA-202107-5] jenkins: multiple issues

2021-07-0100:00:00

security.archlinux.org

149

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

69.4%

JSON

Arch Linux Security Advisory ASA-202107-5

Severity: High
Date : 2021-07-01
CVE-ID : CVE-2021-21670 CVE-2021-21671
Package : jenkins
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2118

Summary

The package jenkins before version 2.300-1 is vulnerable to multiple
issues including authentication bypass and access restriction bypass.

Resolution

Upgrade to 2.300-1.

pacman -Syu “jenkins>=2.300-1”

The problems have been fixed upstream in version 2.300.

Workaround

As a workaround for CVE-2021-21670, do not grant Item/Cancel permission
to users who do not have Item/Read permission. No known workaround
exists for CVE-2021-21671.

Description

CVE-2021-21670 (access restriction bypass)

Jenkins 2.299 and earlier allows users to cancel queue items and abort
builds of jobs for which they have Item/Cancel permission even when
they do not have Item/Read permission. Jenkins 2.300 requires that
users have Item/Read permission for applicable types in addition to
Item/Cancel permission.

As a workaround on earlier versions of Jenkins, do not grant
Item/Cancel permission to users who do not have Item/Read permission.

CVE-2021-21671 (authentication bypass)

Jenkins 2.299 and earlier does not invalidate the existing session on
login. This allows attackers to use social engineering techniques to
gain administrator access to Jenkins. Jenkins 2.300 invalidates the
existing session on login.

Impact

A remote attacker could login into an expired user session.
Additionally, users could cancel queue items and abort builds for which
they do not have Item/Read permission.

References

https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278
https://github.com/jenkinsci/jenkins/commit/86b7d7e789586575522650c60d591605facb1d70
https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371
https://github.com/jenkinsci/jenkins/commit/25a42f3942fd9f8bd768c887c679dbc796b4fcd5
https://security.archlinux.org/CVE-2021-21670
https://security.archlinux.org/CVE-2021-21671

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyjenkins< 2.300-1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ArchLinux	any	any	jenkins	< 2.300-1	UNKNOWN

References

github.com/jenkinsci/jenkins/commit/25a42f3942fd9f8bd768c887c679dbc796b4fcd5

github.com/jenkinsci/jenkins/commit/86b7d7e789586575522650c60d591605facb1d70

security.archlinux.org/AVG-2118

security.archlinux.org/CVE-2021-21670

security.archlinux.org/CVE-2021-21671

www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278

www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

69.4%

JSON

Related for ASA-202107-5