CVE-2021-21626 — Missing permission checks in Jenkins Warnings Next Generation Plugin allow listi

Description

Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A sequence of requests can be used to effectively list workspace contents. Jenkins Warnings Next Generation Plugin 8.5.0 requires Item/Configure permission to validate patterns with workspace contents.

How to fix CVE-2021-21626

To remediate CVE-2021-21626, upgrade the affected package to a fixed version below.

—upgrade to 8.5.0 or later

Is CVE-2021-21626 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 8.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21626
PATCHgithub.com/jenkinsci/warnings-ng-plugin
WEBwww.jenkins.io/security/advisory/2021-03-18/#SECURITY-2041
WEBwww.openwall.com/lists/oss-security/2021/03/18/5