SB2021040814 - Multiple vulnerabilities in Jenkins and Jenkins LTS

Description

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-21639)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected software does not validate the type of object created after loading the data submitted to the "config.xml" REST API endpoint of a node. A remote authenticated attacker can replace a node with one of a different type.

2) Improper Authentication (CVE-ID: CVE-2021-21640)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the affected software does not properly check that a newly created view has an allowed name. A remote authenticated attacker can create views with invalid or already-used names.

Remediation

Install update from vendor's website.

References

• http://www.openwall.com/lists/oss-security/2021/04/07/2
• https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1721
• https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1871