====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN114
_____________________________________________________________________

DATE                : 23/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Jenkins versions prior to 2.280.

=====================================================================
https://www.jenkins.io/security/advisory/2021-02-19/
_____________________________________________________________________


 Jenkins Security Advisory 2021-02-19

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Jenkins (core)

Descriptions
Privilege escalation vulnerability in bundled Spring Security library


SECURITY-2195 / CVE-2021-22112

Spring Security 5.4.3 and earlier has a vulnerability that
unintentionally persists temporarily elevated privileges in some
circumstances in a user’s session. This issue, CVE-2021-22112, is
resolved in Spring Security 5.4.4.

Jenkins 2.266 through 2.279 (inclusive) includes releases of Spring
Security with this vulnerability.

We are aware of a sequence of operations in Jenkins 2.275 through 2.278
(inclusive) that allows attackers with Job/Workspace permission to
exploit this to switch their identity to SYSTEM, an internal user with
all permissions.

Jenkins 2.280 integrates Spring Security 5.4.4, which includes a fix for
CVE-2021-22112.

We recommend that all Jenkins instances running Jenkins releases 2.266
through 2.279 (inclusive) are upgraded to 2.280. Administrators of
instances running Jenkins releases 2.275 through 2.278 (inclusive) who
cannot upgrade to a fixed version are advised to apply the short-term
workaround of removing Job/Workspace permission from all non-admin
users.


Severity

    SECURITY-2195: High


Affected Versions

    Jenkins weekly up to and including 2.279


Fix

    Jenkins weekly should be updated to version 2.280

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Daniel Beck, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.
for SECURITY-2195



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================