Last active
April 8, 2021 02:16
-
-
Save denisse-dev/886b301325e334b5bb7700152ae1ad60 to your computer and use it in GitHub Desktop.
ASA-202104-1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Arch Linux Security Advisory ASA-202104-1 | |
========================================== | |
Severity: Medium | |
Date : 2021-04-07 | |
CVE-ID : CVE-2021-21639 CVE-2021-21640 | |
Package : jenkins | |
Type : insufficient validation | |
Remote : No | |
Link : https://security.archlinux.org/AVG-1781 | |
Summary | |
======= | |
The package jenkins before version 2.286-1 is vulnerable to insufficient | |
validation. | |
Resolution | |
========== | |
Upgrade to 2.287-1. | |
# pacman -Syu "jenkins>=2.287-1" | |
The problems have been fixed upstream in version 2.287. | |
Workaround | |
========== | |
None. | |
Description | |
=========== | |
- CVE-2021-21639 (insufficient validation) | |
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of | |
object created after loading the data submitted to the config.xml REST API | |
endpoint of a node. This allows attackers with Computer/Configure permission to | |
replace a node with one of a different type. | |
- CVE-2021-21640 (insufficient validation) | |
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that | |
a newly created view has an allowed name. When a form to create a view is | |
submitted, the name is included twice in the submission. One instance is | |
validated, but the other instance is used to create the value. This allows | |
attackers with View/Create permission to create views with invalid or | |
already-used names. | |
Impact | |
====== | |
Create invalid elements and override configuration files. | |
References | |
========== | |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21639 | |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21640 | |
https://nvd.nist.gov/vuln/detail/CVE-2021-21639 | |
https://nvd.nist.gov/vuln/detail/CVE-2021-21640 | |
https://security.archlinux.org/CVE-2021-21639 | |
https://security.archlinux.org/CVE-2021-21640 | |
https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1721 | |
https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1871 | |
https://www.openwall.com/lists/oss-security/2021/04/07/2 | |
https://www.openwall.com/lists/oss-security/2021/04/07/2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment