En

Jenkins官网安全更新(2021-02-19)

来源:Jenkins官网 发布日期:2021-02-19 阅读次数:5244 评论:0

基本信息

发布日期:2021-02-19(官方当地时间)

更新类型:安全更新

更新版本:未知

感知时间:2021-02-19 23:54:10

风险等级:未知

情报贡献:TSRC

更新标题

Jenkins Security Advisory 2021-02-19

更新详情

Privilege escalation vulnerability in bundled Spring Security librarySECURITY-2195
/
CVE-2021-22112Spring Security 5.4.3 and earlier has a vulnerability that unintentionally persisted temporarily elevated privileges in some circumstances in a user’s session.
This issue, CVE-2021-22112, is resolved in Spring Security 5.4.4.Jenkins 2.266 through 2.279 (inclusive) included releases of Spring Security with this vulnerability.We are aware of a sequence of operations in Jenkins 2.275 through 2.278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their identity to SYSTEM, an internal user with all permissions.Jenkins 2.280 integrates Spring Security 5.4.4, which includes a fix for CVE-2021-22112.We recommend that all Jenkins instances running Jenkins releases 2.266 through 2.279 (inclusive) are upgraded to 2.280.
Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users.SeveritySECURITY-2195:HighAffected VersionsJenkins weekly up to and including
2.279FixJenkins weekly should be updated to version
2.280These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

软件描述

Jenkins是一个开源软件项目,是基于Java开发的一种持续集成工具,用于监控持续重复的工作,旨在提供一个开放易用的软件平台,使软件的持续集成变成可能。 [1]

CVE编号

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入