First published: Wed Jan 13 2021(Updated: )
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.jenkins-ci.main:jenkins-core | >=2.264<=2.274 | 2.275 |
maven/org.jenkins-ci.main:jenkins-core | <=2.263.1 | 2.263.2 |
Jenkins Jenkins | <=2.263.1 | |
Jenkins Jenkins | <=2.274 | |
redhat/jenkins | <0:2.263.3.1612433584-1.el7 | 0:2.263.3.1612433584-1.el7 |
redhat/conmon | <2:2.0.21-1.rhaos4.5.el7 | 2:2.0.21-1.rhaos4.5.el7 |
redhat/jenkins | <0:2.263.3.1612434332-1.el7 | 0:2.263.3.1612434332-1.el7 |
redhat/machine-config-daemon | <0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8 | 0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8 |
redhat/openshift | <0:4.5.0-202102050524.p0.git.0.9229406.el7 | 0:4.5.0-202102050524.p0.git.0.9229406.el7 |
redhat/openshift-ansible | <0:4.5.0-202102031005.p0.git.0.c6839a2.el7 | 0:4.5.0-202102031005.p0.git.0.c6839a2.el7 |
redhat/openshift-clients | <0:4.5.0-202102051529.p0.git.3612.61b096a.el8 | 0:4.5.0-202102051529.p0.git.3612.61b096a.el8 |
redhat/runc | <0:1.0.0-72.rhaos4.5.giteadfc6b.el8 | 0:1.0.0-72.rhaos4.5.giteadfc6b.el8 |
redhat/jenkins | <0:2.263.3.1612434510-1.el8 | 0:2.263.3.1612434510-1.el8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The severity of CVE-2021-21609 is medium with a severity value of 5.3.
CVE-2021-21609 allows attackers without Overall/Read permission to access certain URLs as if they had Overall/Read permission.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier are affected by CVE-2021-21609.
To fix CVE-2021-21609, update Jenkins to version 2.275 or later, or LTS 2.263.2 or later.
For more information about CVE-2021-21609, you can visit the CVE website (https://www.cve.org/CVERecord?id=CVE-2021-21609) or the NIST National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2021-21609).