CVE-2021-21623 — Vulnetix

CVE-2021-21623 PUBLISHED CVSS 6.5 MEDIUM

An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

EPSS 0.10% · 27.3th percentile

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.10%

27.3th percentile

Affected Products

Vendor	Product	Versions
jenkins	matrix_authorization_strategy	0
Maven	org.jenkins-ci.plugins:matrix-auth	0
Jenkins project	Jenkins Matrix Authorization Strategy Plugin	unspecified, 2.5.2, 2.6.3.1

Timeline

Mar 18, 2021 CVE Published
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Aug 24, 2021 EPSS Score
Oct 25, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 27, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 1, 2022 EPSS Score
Jul 2, 2022 EPSS Score
Sep 4, 2022 EPSS Score

References

https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180 url
[oss-security] 20210318 Multiple vulnerabilities in Jenkins plugins mailing-list
https://nvd.nist.gov/vuln/detail/CVE-2021-21623 advisory
https://github.com/jenkinsci/matrix-auth-plugin/commit/bbe358575155912b818ab3c6e8b9623f21ad3418 url
https://github.com/jenkinsci/matrix-auth-plugin package

Open in Interactive Console →