ghsa-4625-q52w-39cx
Vulnerability from github
Published
2022-05-24 17:39
Modified
2023-10-27 13:45
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Missing permission check for paths with specific prefix in Jenkins
Details

Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.

This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required: - accessDenied - error - instance-identity - login - logout - oops - securityRealm - signup - tcpSlaveAgentListener

For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check.

The Jenkins security team is not aware of any affected plugins as of the publication of this advisory.

The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.

In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The Java system property jenkins.model.Jenkins.additionalReadablePaths is a comma-separated list of additional path prefixes to allow access to.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.263.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.263.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.274"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.264"
            },
            {
              "fixed": "2.275"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21609"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-23T06:51:02Z",
    "nvd_published_at": "2021-01-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.\n\nJenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.\n\nThis allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:\n- `accessDenied`\n- `error`\n- `instance-identity`\n- `login`\n- `logout`\n- `oops`\n- `securityRealm`\n- `signup`\n- `tcpSlaveAgentListener`\n\nFor example, a plugin contributing the path `loginFoo/` would have URLs in that space accessible without the default Overall/Read permission check.\n\nThe Jenkins security team is not aware of any affected plugins as of the publication of this advisory.\n\nThe comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.\n\nIn case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `jenkins.model.Jenkins.additionalReadablePaths` is a comma-separated list of additional path prefixes to allow access to.",
  "id": "GHSA-4625-q52w-39cx",
  "modified": "2023-10-27T13:45:16Z",
  "published": "2022-05-24T17:39:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21609"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/fe9091fc74d55a56fd36544f3038d47c8cb331a4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing permission check for paths with specific prefix in Jenkins"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.