Jenkins Security Advisory 2021-02-19

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Jenkins (core)

Descriptions

Privilege escalation vulnerability in bundled Spring Security library

SECURITY-2195 / CVE-2021-22112

Spring Security 5.4.3 and earlier has a vulnerability that unintentionally persists temporarily elevated privileges in some circumstances in a user’s session. This issue, CVE-2021-22112, is resolved in Spring Security 5.4.4.

Jenkins 2.266 through 2.279 (inclusive) includes releases of Spring Security with this vulnerability.

We are aware of a sequence of operations in Jenkins 2.275 through 2.278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their identity to SYSTEM, an internal user with all permissions.

Jenkins 2.280 integrates Spring Security 5.4.4, which includes a fix for CVE-2021-22112.

We recommend that all Jenkins instances running Jenkins releases 2.266 through 2.279 (inclusive) are upgraded to 2.280. Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.279

Fix

  • Jenkins weekly should be updated to version 2.280

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc. for SECURITY-2195