5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-21609

GHSA ID

GHSA-4625-q52w-39cx

EPSS Score

0.16192%

CWE

CWE-863

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21609

CVE-2021-21609: Missing permission check for paths with specific prefix in Jenkins

Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.

This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:

accessDenied
error
instance-identity
login
logout
oops
securityRealm
signup
tcpSlaveAgentListener

For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check.

The Jenkins security team is not aware of any affected plugins as of the publication of this advisory.

The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.

In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The Java system property jenkins.model.Jenkins.additionalReadablePaths is a comma-separated list of additional path prefixes to allow access to.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-21609

CVE-2021-21609:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-21609

GHSA ID

GHSA-4625-q52w-39cx

EPSS Score

0.16192%

CWE

CWE-863

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	<= 2.263.1	2.263.2
org.jenkins-ci.main:jenkins-core	maven	>= 2.264, <= 2.274	2.275

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the URL path matching logic in isSubjectToMandatoryReadPermissionCheck. The pre-fix implementation checked if requested paths started with entries from ALWAYS_READABLE_PATHS (e.g., '/login'), allowing any path with matching prefixes (like '/loginFoo') to bypass permission checks. The commit changed the comparison to exact path matches (using startsWith('/name/') or equals('/name')) and modified how paths are stored in ALWAYS_READABLE_PATHS. The test cases added in JenkinsSEC2047Test.java verify that paths with protected prefixes (like 'login123') are now properly protected, confirming the vulnerability existed in this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-21609: Missing permission check for paths with specific prefix in Jenkins

CVE-2021-21609:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2021-21609: Missing permission check for paths with specific prefix in Jenkins

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.3

5.3

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI