CVE-2021-21670 — Improper permission checks allow canceling queue items and aborting builds in Je

Description

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission. As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.

How to fix CVE-2021-21670

To remediate CVE-2021-21670, upgrade the affected package to a fixed version below.

—upgrade to 2.300.0 or later
—upgrade to 2.289.2 or later

Is CVE-2021-21670 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.300.0
from 0, < 2.289.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21670
PATCHgithub.com/jenkinsci/jenkins
WEBgithub.com/jenkinsci/jenkins/commit/86b7d7e789586575522650c60d591605facb1d70
WEBwww.jenkins.io/security/advisory/2021-06-30/#SECURITY-2278