CVE-2021-21647 - Vulnerability Details

Vendors	Products
Jenkins	Cloudbees Cd

Link	Providers
http://www.openwall.com/lists/oss-security/2021/04/21/2
https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Jenkins CloudBees CD Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "1.1.21", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "unaffected", "version": "1.1.18.1"}]}], "descriptions": [{"lang": "en", "value": "Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T15:51:11.677Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309"}, {"name": "[oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21647", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins CloudBees CD Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.1.21"}, {"version_affected": "!", "version_value": "1.1.18.1"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862: Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309"}, {"name": "[oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:16:23.705Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309"}, {"name": "[oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2021-21647", "datePublished": "2021-04-21T14:20:36", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:16:23.705Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Jenkins CloudBees CD Plugin (string)

vendor : Jenkins project (string)

versions : [ »

0 : { »

lessThanOrEqual : 1.1.21 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.1.18.1 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. (string)

}

]

providerMetadata : { »

orgId : 39769cd5-e6e2-4dc8-927e-97b3aa056f5b (string)

shortName : jenkins (string)

dateUpdated : 2023-10-24T15:51:11.677Z (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309 (string)

}

1 : { »

name : [oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : http://www.openwall.com/lists/oss-security/2021/04/21/2 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : jenkinsci-cert@googlegroups.com (string)

ID : CVE-2021-21647 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Jenkins CloudBees CD Plugin (string)

version : { »

version_data : [ »

0 : { »

version_affected : <= (string)

version_value : 1.1.21 (string)

}

1 : { »

version_affected : ! (string)

version_value : 1.1.18.1 (string)

}

]

}

]

}

vendor_name : Jenkins project (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-862: Missing Authorization (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309 (string)

refsource : CONFIRM (string)

url : https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309 (string)

}

1 : { »

name : [oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins (string)

refsource : MLIST (string)

url : http://www.openwall.com/lists/oss-security/2021/04/21/2 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T18:16:23.705Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309 (string)

}

1 : { »

name : [oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : http://www.openwall.com/lists/oss-security/2021/04/21/2 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 39769cd5-e6e2-4dc8-927e-97b3aa056f5b (string)

assignerShortName : jenkins (string)

cveId : CVE-2021-21647 (string)

datePublished : 2021-04-21T14:20:36 (string)

dateReserved : 2021-01-04T00:00:00 (string)

dateUpdated : 2024-08-03T18:16:23.705Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:cloudbees_cd:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "DFBBD4AC-E089-466A-B0E5-6C0BE782C039", "versionEndIncluding": "1.1.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission."}, {"lang": "es", "value": "Jenkins CloudBees CD Plugin versiones 1.1.21 y anteriores, no llevan a cabo una comprobaci\u00f3n de permisos en un endpoint HTTP, permitiendo a atacantes con permiso Item/Read programar compilaciones de proyectos sin tener permiso Item/Build"}], "id": "CVE-2021-21647", "lastModified": "2024-11-21T05:48:45.783", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-21T15:15:08.477", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified"}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:jenkins:cloudbees_cd:*:*:*:*:*:jenkins:*:* (string)

matchCriteriaId : DFBBD4AC-E089-466A-B0E5-6C0BE782C039 (string)

versionEndIncluding : 1.1.21 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. (string)

}

1 : { »

lang : es (string)

value : Jenkins CloudBees CD Plugin versiones 1.1.21 y anteriores, no llevan a cabo una comprobación de permisos en un endpoint HTTP, permitiendo a atacantes con permiso Item/Read programar compilaciones de proyectos sin tener permiso Item/Build (string)

}

]

id : CVE-2021-21647 (string)

lastModified : 2024-11-21T05:48:45.783 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : NONE (string)

baseScore : 4 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:S/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 8 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 4.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : LOW (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 1.4 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-04-21T15:15:08.477 (string)

references : [ »

0 : { »

source : jenkinsci-cert@googlegroups.com (string)

tags : [ »

0 : Mailing List (string)

1 : Third Party Advisory (string)

]

url : http://www.openwall.com/lists/oss-security/2021/04/21/2 (string)

}

1 : { »

source : jenkinsci-cert@googlegroups.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309 (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Third Party Advisory (string)

]

url : http://www.openwall.com/lists/oss-security/2021/04/21/2 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309 (string)

}

]

sourceIdentifier : jenkinsci-cert@googlegroups.com (string)

vulnStatus : Modified (string)

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object