ASA-202104-1

ASA-202104-1

Arch Linux Security Advisory ASA-202104-1
==========================================

Severity: Medium
Date    : 2021-04-07
CVE-ID  : CVE-2021-21639 CVE-2021-21640
Package : jenkins
Type    : insufficient validation
Remote  : No
Link    : https://security.archlinux.org/AVG-1781

Summary
=======

The package jenkins before version 2.286-1 is vulnerable to insufficient
validation.

Resolution
==========

Upgrade to 2.287-1.

# pacman -Syu "jenkins>=2.287-1"

The problems have been fixed upstream in version 2.287.

Workaround
==========

None.

Description
===========

- CVE-2021-21639 (insufficient validation)

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of
object created after loading the data submitted to the config.xml REST API
endpoint of a node. This allows attackers with Computer/Configure permission to
replace a node with one of a different type.

- CVE-2021-21640 (insufficient validation)

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that
a newly created view has an allowed name. When a form to create a view is
submitted, the name is included twice in the submission. One instance is
validated, but the other instance is used to create the value. This allows
attackers with View/Create permission to create views with invalid or
already-used names.

Impact
======

Create invalid elements and override configuration files.

References
==========

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21640
https://nvd.nist.gov/vuln/detail/CVE-2021-21639
https://nvd.nist.gov/vuln/detail/CVE-2021-21640
https://security.archlinux.org/CVE-2021-21639
https://security.archlinux.org/CVE-2021-21640
https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1721
https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1871
https://www.openwall.com/lists/oss-security/2021/04/07/2
https://www.openwall.com/lists/oss-security/2021/04/07/2