CVE-2021-21647

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-21647

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21647.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-21647

Aliases

GHSA-7rx6-4vwv-432g

Published

2021-04-21T15:15:08Z

Modified

2024-09-03T03:40:42.412705Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

References

Affected packages

Git / github.com/jenkinsci/electricflow-plugin

Affected ranges

Type: GIT
Repo: https://github.com/jenkinsci/electricflow-plugin
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

30a6ef8fd5e96dfab3dc83f9fc80042456fa4851

Affected versions

cloudbees-flow-1.*

cloudbees-flow-1.1.10

cloudbees-flow-1.1.11

cloudbees-flow-1.1.12

cloudbees-flow-1.1.14

cloudbees-flow-1.1.15

cloudbees-flow-1.1.16

cloudbees-flow-1.1.17

cloudbees-flow-1.1.18

cloudbees-flow-1.1.19

cloudbees-flow-1.1.20

cloudbees-flow-1.1.21

cloudbees-flow-1.1.8

cloudbees-flow-1.1.9

electricflow-1.*

electricflow-1.0

electricflow-1.1.1

electricflow-1.1.13

electricflow-1.1.2

electricflow-1.1.3

electricflow-1.1.4

electricflow-1.1.5

electricflow-1.1.6

electricflow-1.1.7