[ASA-202107-5] jenkins: multiple issues
diabonas at archlinux.org
Sat Jul 3 16:24:58 UTC 2021
Arch Linux Security Advisory ASA-202107-5
Date : 2021-07-01
CVE-ID : CVE-2021-21670 CVE-2021-21671
Package : jenkins
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2118
The package jenkins before version 2.300-1 is vulnerable to multiple
issues including authentication bypass and access restriction bypass.
Upgrade to 2.300-1.
# pacman -Syu "jenkins>=2.300-1"
The problems have been fixed upstream in version 2.300.
As a workaround for CVE-2021-21670, do not grant Item/Cancel permission
to users who do not have Item/Read permission. No known workaround
exists for CVE-2021-21671.
- CVE-2021-21670 (access restriction bypass)
Jenkins 2.299 and earlier allows users to cancel queue items and abort
builds of jobs for which they have Item/Cancel permission even when
they do not have Item/Read permission. Jenkins 2.300 requires that
users have Item/Read permission for applicable types in addition to
As a workaround on earlier versions of Jenkins, do not grant
Item/Cancel permission to users who do not have Item/Read permission.
- CVE-2021-21671 (authentication bypass)
Jenkins 2.299 and earlier does not invalidate the existing session on
login. This allows attackers to use social engineering techniques to
gain administrator access to Jenkins. Jenkins 2.300 invalidates the
existing session on login.
A remote attacker could login into an expired user session.
Additionally, users could cancel queue items and abort builds for which
they do not have Item/Read permission.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security