Improper Authentication in Jenkins and Jenkins LTS

#VU51994 Improper Authentication in Jenkins and Jenkins LTS

Cybersecurity Help s.r.o.

Published: 2021-04-08

Vulnerability identifier: #VU51994

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21640

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jenkins
Server applications / Application servers
Jenkins LTS
Server applications / Application servers

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the affected software does not properly check that a newly created view has an allowed name. A remote authenticated attacker can create views with invalid or already-used names.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Jenkins: 2.0 - 2.286

Jenkins LTS: 1.409.1 - 2.277.1

External links
http://www.openwall.com/lists/oss-security/2021/04/07/2
http://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1871

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in OpenShift Container Platform 4.10

Multiple vulnerabilities in Red Hat Migration Toolkit for Containers

Multiple vulnerabilities in OpenShift Container Platform

Multiple vulnerabilities in Jenkins and Jenkins LTS