{"containers": {"cna": {"affected": [{"product": "Jenkins Matrix Authorization Strategy Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.6.5", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "unaffected", "version": "2.5.2"}, {"status": "unaffected", "version": "2.6.3.1"}]}], "descriptions": [{"lang": "en", "value": "An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T15:50:44.018Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180"}, {"name": "[oss-security] 20210318 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/03/18/5"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21623", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Matrix Authorization Strategy Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.6.5"}, {"version_affected": "!", "version_value": "2.5.2"}, {"version_affected": "!", "version_value": "2.6.3.1"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180"}, {"name": "[oss-security] 20210318 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/03/18/5"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:16:23.861Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180"}, {"name": "[oss-security] 20210318 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/03/18/5"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2021-21623", "datePublished": "2021-03-18T13:35:21", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:16:23.861Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:matrix_authorization_strategy:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "CF293100-04B9-4D9A-A14D-7D6B469FF193", "versionEndIncluding": "2.6.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders."}, {"lang": "es", "value": "Una comprobaci\u00f3n incorrecta de permiso en Jenkins Matrix Authorization Strategy Plugin versiones 2.6.5 y anteriores, permite a atacantes con permiso Item/Read en elementos anidados acceder a ellos, incluso si no presentan permiso de Item/Read para las carpetas principales"}], "id": "CVE-2021-21623", "lastModified": "2024-11-21T05:48:43.063", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-18T14:15:13.227", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/03/18/5"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/03/18/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:2437", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "jenkins-0:2.289.1.1624020353-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-07-27T00:00:00Z"}], "bugzilla": {"description": "jenkins-2-plugins/matrix-auth: Incorrect permission checks in Matrix Authorization Strategy Plugin", "id": "1940489", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1940489"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-273", "details": ["An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.", "A flaw was found in Jenkins Matrix Authorization Strategy Plugin. The jenkins plugin does not correctly perform permission checks, as consequences this allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders. The highest threat from this vulnerability is to data confidentiality."], "name": "CVE-2021-21623", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21623\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21623\nhttps://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180"], "threat_severity": "Moderate", "upstream_fix": "matrix-auth 2.6.6"}