Improper access control in P4

#VU53181 Improper access control in P4

Published: 2021-05-12

Vulnerability identifier: #VU53181

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21654

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
P4
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected plugin does not perform permission checks in multiple HTTP endpoints implementing connection tests. A remote authenticated attacker can connect to an attacker-specified Perforce server using attacker-specified username and password.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

P4: 1.0.1 - 1.11.4

External links
http://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2327

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Jenkins P4 plugin