Multiple vulnerabilities in Jenkins and Jenkins LTS



Published: 2021-04-08
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2021-21639
CVE-2021-21640
CWE ID CWE-20
CWE-287
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Jenkins
Server applications / Application servers

Jenkins LTS
Server applications / Application servers

Vendor Jenkins

Security Advisory

1) Input validation error

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21639

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected software does not validate the type of object created after loading the data submitted to the "config.xml" REST API endpoint of a node. A remote authenticated attacker can replace a node with one of a different type.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Jenkins: 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8, 2.9, 2.10, 2.11, 2.12, 2.13, 2.14, 2.15, 2.16, 2.17, 2.18, 2.19, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.20, 2.21, 2.22, 2.23, 2.24, 2.25, 2.26, 2.27, 2.28, 2.29, 2.30, 2.31, 2.32, 2.32.1, 2.32.2, 2.32.3, 2.33, 2.34, 2.35, 2.36, 2.37, 2.38, 2.39, 2.40, 2.41, 2.42, 2.43, 2.44, 2.45, 2.46, 2.46.1, 2.46.2, 2.46.3, 2.47, 2.48, 2.49, 2.50, 2.51, 2.52, 2.53, 2.54, 2.55, 2.56, 2.57, 2.58, 2.59, 2.60, 2.60.1, 2.60.2, 2.60.3, 2.61, 2.62, 2.63, 2.64, 2.65, 2.66, 2.67, 2.68, 2.69, 2.70, 2.71, 2.72, 2.73, 2.73.1, 2.73.2, 2.73.3, 2.74, 2.75, 2.76, 2.77, 2.78, 2.79, 2.80, 2.81, 2.82, 2.83, 2.84, 2.85, 2.86, 2.87, 2.88, 2.89, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.90, 2.91, 2.92, 2.93, 2.94, 2.95, 2.96, 2.97, 2.98, 2.99, 2.100, 2.101, 2.102, 2.103, 2.104, 2.105, 2.106, 2.107, 2.107.1, 2.107.2, 2.107.3, 2.108, 2.109, 2.110, 2.111, 2.112, 2.113, 2.114, 2.115, 2.116, 2.117, 2.118, 2.119, 2.120, 2.121, 2.121.1, 2.121.2, 2.121.3, 2.122, 2.123, 2.124, 2.125, 2.126, 2.127, 2.128, 2.129, 2.130, 2.131, 2.132, 2.133, 2.134, 2.135, 2.136, 2.137, 2.138, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.139, 2.140, 2.141, 2.142, 2.143, 2.144, 2.145, 2.146, 2.147, 2.148, 2.149, 2.150, 2.150.1, 2.150.2, 2.150.3, 2.151, 2.152, 2.153, 2.154, 2.155, 2.156, 2.157, 2.158, 2.159, 2.160, 2.161, 2.162, 2.163, 2.164, 2.164.1, 2.164.2, 2.164.3, 2.165, 2.166, 2.167, 2.168, 2.169, 2.170, 2.171, 2.172, 2.173, 2.174, 2.175, 2.176, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.177, 2.178, 2.179, 2.180, 2.181, 2.182, 2.183, 2.184, 2.185, 2.186, 2.187, 2.189, 2.190, 2.190.1, 2.190.2, 2.190.3, 2.191, 2.192, 2.193, 2.194, 2.195, 2.196, 2.197, 2.198, 2.199, 2.200, 2.201, 2.202, 2.203, 2.204, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5, 2.204.6, 2.205, 2.206, 2.207, 2.208, 2.209, 2.210, 2.211, 2.212, 2.213, 2.214, 2.215, 2.216, 2.217, 2.218, 2.219, 2.220, 2.221, 2.222, 2.222.1, 2.222.3, 2.222.4, 2.223, 2.224, 2.225, 2.226, 2.227, 2.228, 2.229, 2.230, 2.231, 2.232, 2.233, 2.234, 2.235, 2.235.1, 2.235.2, 2.235.3, 2.235.4, 2.235.5, 2.236, 2.237, 2.238, 2.239, 2.240, 2.241, 2.242, 2.243, 2.244, 2.245, 2.246, 2.247, 2.248, 2.249, 2.249.1, 2.249.2, 2.249.3, 2.250, 2.251, 2.252, 2.253, 2.254, 2.255, 2.256, 2.257, 2.258, 2.259, 2.260, 2.261, 2.262, 2.263, 2.263.1, 2.263.2, 2.263.3, 2.263.4, 2.264, 2.265, 2.266, 2.267, 2.268, 2.269, 2.270, 2.271, 2.272, 2.273, 2.274, 2.275, 2.276, 2.277, 2.278, 2.279, 2.280, 2.281, 2.282, 2.283, 2.284, 2.285, 2.286

Jenkins LTS: 1.409.1, 1.409.2, 1.409.3, 1.424.1, 1.424.2, 1.424.3, 1.424.4, 1.424.5, 1.424.6, 1.447.1, 1.447.2, 1.466.1, 1.466.2, 1.480.1, 1.480.2, 1.480.3, 1.509.1, 1.509.2, 1.509.3, 1.509.4, 1.532.1, 1.532.2, 1.532.3, 1.554.1, 1.554.2, 1.554.3, 1.565.1, 1.565.2, 1.565.3, 1.580.1, 1.580.2, 1.580.3, 1.596.1, 1.596.2, 1.596.3, 1.609.1, 1.609.2, 1.609.3, 1.625.1, 1.625.2, 1.625.3, 1.642.1, 1.642.2, 1.642.3, 1.642.4, 1.651.1, 1.651.2, 1.651.3, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.32.1, 2.32.2, 2.32.3, 2.46.1, 2.46.2, 2.46.3, 2.60.1, 2.60.2, 2.60.3, 2.73.1, 2.73.2, 2.73.3, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.107.1, 2.107.2, 2.107.3, 2.121.1, 2.121.2, 2.121.3, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.150.1, 2.150.2, 2.150.3, 2.164.1, 2.164.2, 2.164.3, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.190.1, 2.190.2, 2.190.3, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5, 2.204.6, 2.222.1, 2.222.2, 2.222.3, 2.222.4, 2.235.1, 2.235.2, 2.235.3, 2.235.4, 2.235.5, 2.249.1, 2.249.2, 2.249.3, 2.263.1, 2.263.2, 2.263.3, 2.263.4, 2.277.1

CPE External links

http://www.openwall.com/lists/oss-security/2021/04/07/2
https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1721

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Authentication

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21640

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the affected software does not properly check that a newly created view has an allowed name. A remote authenticated attacker can create views with invalid or already-used names.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Jenkins: 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8, 2.9, 2.10, 2.11, 2.12, 2.13, 2.14, 2.15, 2.16, 2.17, 2.18, 2.19, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.20, 2.21, 2.22, 2.23, 2.24, 2.25, 2.26, 2.27, 2.28, 2.29, 2.30, 2.31, 2.32, 2.32.1, 2.32.2, 2.32.3, 2.33, 2.34, 2.35, 2.36, 2.37, 2.38, 2.39, 2.40, 2.41, 2.42, 2.43, 2.44, 2.45, 2.46, 2.46.1, 2.46.2, 2.46.3, 2.47, 2.48, 2.49, 2.50, 2.51, 2.52, 2.53, 2.54, 2.55, 2.56, 2.57, 2.58, 2.59, 2.60, 2.60.1, 2.60.2, 2.60.3, 2.61, 2.62, 2.63, 2.64, 2.65, 2.66, 2.67, 2.68, 2.69, 2.70, 2.71, 2.72, 2.73, 2.73.1, 2.73.2, 2.73.3, 2.74, 2.75, 2.76, 2.77, 2.78, 2.79, 2.80, 2.81, 2.82, 2.83, 2.84, 2.85, 2.86, 2.87, 2.88, 2.89, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.90, 2.91, 2.92, 2.93, 2.94, 2.95, 2.96, 2.97, 2.98, 2.99, 2.100, 2.101, 2.102, 2.103, 2.104, 2.105, 2.106, 2.107, 2.107.1, 2.107.2, 2.107.3, 2.108, 2.109, 2.110, 2.111, 2.112, 2.113, 2.114, 2.115, 2.116, 2.117, 2.118, 2.119, 2.120, 2.121, 2.121.1, 2.121.2, 2.121.3, 2.122, 2.123, 2.124, 2.125, 2.126, 2.127, 2.128, 2.129, 2.130, 2.131, 2.132, 2.133, 2.134, 2.135, 2.136, 2.137, 2.138, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.139, 2.140, 2.141, 2.142, 2.143, 2.144, 2.145, 2.146, 2.147, 2.148, 2.149, 2.150, 2.150.1, 2.150.2, 2.150.3, 2.151, 2.152, 2.153, 2.154, 2.155, 2.156, 2.157, 2.158, 2.159, 2.160, 2.161, 2.162, 2.163, 2.164, 2.164.1, 2.164.2, 2.164.3, 2.165, 2.166, 2.167, 2.168, 2.169, 2.170, 2.171, 2.172, 2.173, 2.174, 2.175, 2.176, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.177, 2.178, 2.179, 2.180, 2.181, 2.182, 2.183, 2.184, 2.185, 2.186, 2.187, 2.189, 2.190, 2.190.1, 2.190.2, 2.190.3, 2.191, 2.192, 2.193, 2.194, 2.195, 2.196, 2.197, 2.198, 2.199, 2.200, 2.201, 2.202, 2.203, 2.204, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5, 2.204.6, 2.205, 2.206, 2.207, 2.208, 2.209, 2.210, 2.211, 2.212, 2.213, 2.214, 2.215, 2.216, 2.217, 2.218, 2.219, 2.220, 2.221, 2.222, 2.222.1, 2.222.3, 2.222.4, 2.223, 2.224, 2.225, 2.226, 2.227, 2.228, 2.229, 2.230, 2.231, 2.232, 2.233, 2.234, 2.235, 2.235.1, 2.235.2, 2.235.3, 2.235.4, 2.235.5, 2.236, 2.237, 2.238, 2.239, 2.240, 2.241, 2.242, 2.243, 2.244, 2.245, 2.246, 2.247, 2.248, 2.249, 2.249.1, 2.249.2, 2.249.3, 2.250, 2.251, 2.252, 2.253, 2.254, 2.255, 2.256, 2.257, 2.258, 2.259, 2.260, 2.261, 2.262, 2.263, 2.263.1, 2.263.2, 2.263.3, 2.263.4, 2.264, 2.265, 2.266, 2.267, 2.268, 2.269, 2.270, 2.271, 2.272, 2.273, 2.274, 2.275, 2.276, 2.277, 2.278, 2.279, 2.280, 2.281, 2.282, 2.283, 2.284, 2.285, 2.286

Jenkins LTS: 1.409.1, 1.409.2, 1.409.3, 1.424.1, 1.424.2, 1.424.3, 1.424.4, 1.424.5, 1.424.6, 1.447.1, 1.447.2, 1.466.1, 1.466.2, 1.480.1, 1.480.2, 1.480.3, 1.509.1, 1.509.2, 1.509.3, 1.509.4, 1.532.1, 1.532.2, 1.532.3, 1.554.1, 1.554.2, 1.554.3, 1.565.1, 1.565.2, 1.565.3, 1.580.1, 1.580.2, 1.580.3, 1.596.1, 1.596.2, 1.596.3, 1.609.1, 1.609.2, 1.609.3, 1.625.1, 1.625.2, 1.625.3, 1.642.1, 1.642.2, 1.642.3, 1.642.4, 1.651.1, 1.651.2, 1.651.3, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.32.1, 2.32.2, 2.32.3, 2.46.1, 2.46.2, 2.46.3, 2.60.1, 2.60.2, 2.60.3, 2.73.1, 2.73.2, 2.73.3, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.107.1, 2.107.2, 2.107.3, 2.121.1, 2.121.2, 2.121.3, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.150.1, 2.150.2, 2.150.3, 2.164.1, 2.164.2, 2.164.3, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.190.1, 2.190.2, 2.190.3, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5, 2.204.6, 2.222.1, 2.222.2, 2.222.3, 2.222.4, 2.235.1, 2.235.2, 2.235.3, 2.235.4, 2.235.5, 2.249.1, 2.249.2, 2.249.3, 2.263.1, 2.263.2, 2.263.3, 2.263.4, 2.277.1

CPE External links

http://www.openwall.com/lists/oss-security/2021/04/07/2
https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1871

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###