4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-21624

GHSA ID

GHSA-rm4m-39fj-288c

EPSS Score

0.07093%

CWE

CWE-863

Published

5/24/2022

Updated

12/20/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21624

CVE-2021-21624: Incorrect permission checks in Jenkins Role-based Authorization Strategy Plugin may allow accessing some items

Items (like jobs) can be organized hierarchically in Jenkins, using the Folders Plugin or something similar. An item is expected to be accessible only if all its ancestors are accessible as well.

Role-based Authorization Strategy Plugin 3.1 and earlier does not correctly perform permission checks to determine whether an item should be accessible.

This allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

Role-based Authorization Strategy Plugin 3.1.1 requires Item/Read permission on parent items to grant Item/Read permission on an individual item.

As a workaround in older releases, do not grant permissions on individual items to users who do not have access to parent items.

In case of problems, the Java system property com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.checkParentPermissions can be set to false, completely disabling this fix.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-21624

CVE-2021-21624:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-21624

GHSA ID

GHSA-rm4m-39fj-288c

EPSS Score

0.07093%

CWE

CWE-863

Published

5/24/2022

Updated

12/20/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:role-strategy	maven	<= 3.1	3.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing parent permission checks in the authorization flow. The commit adds critical parent permission verification logic specifically in the hasPermission method of RoleMap$AclImpl, including new checks for ItemGroup parent permissions when handling READ/DISCOVER requests. The test cases in Security2182Test.java validate() that parent permissions are now required, confirming the vulnerability existed in this authorization pathway. The system property escape hatch further confirms this was the focal point of the security fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-21624: Incorrect permission checks in Jenkins Role-based Authorization Strategy Plugin may allow accessing some items

CVE-2021-21624:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.3

4.3

Basic Information

Basic Information

CVE-2021-21624: Incorrect permission checks in Jenkins Role-based Authorization Strategy Plugin may allow accessing some items

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI