CVE-2021-21650 - OpenCVE

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	S3 Publisher

Configuration 1 [-]

cpe:2.3:a:jenkins:s3_publisher:*:*:*:*:*:jenkins:*:*

References

Link	Resource
https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2200	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jenkins

Published: 2021-05-11T14:15:21

Updated: 2023-10-24T15:51:15.205Z

Reserved: 2021-01-04T00:00:00

Link: CVE-2021-21650

JSON object: View

NVD Information

Status : Modified

Published: 2021-05-11T15:15:07.953

Modified: 2023-10-25T18:16:49.620

Link: CVE-2021-21650

JSON object: View

Redhat Information

No data.

CWE

No CWE.

{"containers": {"cna": {"affected": [{"product": "Jenkins S3 publisher Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "0.11.6", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "unaffected", "version": "0.11.5.1"}]}], "descriptions": [{"lang": "en", "value": "Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T15:51:15.205Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2200"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21650", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins S3 publisher Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "0.11.6"}, {"version_affected": "!", "version_value": "0.11.5.1"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862: Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2200", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2200"}]}}}}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2021-21650", "datePublished": "2021-05-11T14:15:21", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2023-10-24T15:51:15.205Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:s3_publisher:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "11FD2274-FF7B-42DA-9EFB-4850EEEE0A3F", "versionEndIncluding": "0.11.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled."}, {"lang": "es", "value": "El plugin del editor de Jenkins versi\u00f3n S3 0.11.6 y anteriores no realiza comprobaciones de permisos de Run/Artifacts en varios endpoints HTTP y modelos de API, permitiendo a los atacantes con permiso de Item/Read obtener informaci\u00f3n sobre los artefactos subidos a S3, si el permiso opcional de Run/Artifacts est\u00e1 habilitado."}], "id": "CVE-2021-21650", "lastModified": "2023-10-25T18:16:49.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-11T15:15:07.953", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2200"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified"}