CVE-2021-21640
UNKNOWN
Published 2021-04-07T13:50:14
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2021-21640. We'll provide specific mitigation strategies based on your environment and risk profile.
No CVSS data available
Description
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
Affected Products
Affected Versions:
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
Advisory Details
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name. When a form to create a view is submitted, the name is included twice in the submission. One instance is validated, but the other instance is used to create the value.
This allows attackers with View/Create permission to create views with invalid or already-used names.
Jenkins 2.287, LTS 2.277.2 uses the same submitted value for validation and view creation.
Affected Packages
Maven
org.jenkins-ci.main:jenkins-core
ECOSYSTEM:
≥0
<2.277.2
Maven
org.jenkins-ci.main:jenkins-core
ECOSYSTEM:
≥2.278
<2.287
CVSS Scoring
CVSS Score
5.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
References
Advisory provided by GitHub Security Advisory Database. Published: May 24, 2022, Modified: December 13, 2022
References
Published: 2021-04-07T13:50:14
Last Modified: 2024-08-03T18:16:23.813Z
Copied to clipboard!