4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21624

GHSA ID

GHSA-rm4m-39fj-288c

EPSS Score

0.07093%

CWE

CWE-863

Published

5/24/2022

Updated

12/20/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21624

CVE-2021-21624: Incorrect permission checks in Jenkins Role-based Authorization Strategy Plugin may allow accessing some items

Items (like jobs) can be organized hierarchically in Jenkins, using the Folders Plugin or something similar. An item is expected to be accessible only if all its ancestors are accessible as well.

Role-based Authorization Strategy Plugin 3.1 and earlier does not correctly perform permission checks to determine whether an item should be accessible.

This allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

Role-based Authorization Strategy Plugin 3.1.1 requires Item/Read permission on parent items to grant Item/Read permission on an individual item.

As a workaround in older releases, do not grant permissions on individual items to users who do not have access to parent items.

In case of problems, the Java system property com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.checkParentPermissions can be set to false, completely disabling this fix.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21624

GHSA ID

GHSA-rm4m-39fj-288c

EPSS Score

0.07093%

CWE

CWE-863

Published

5/24/2022

Updated

12/20/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:role-strategy	maven	<= 3.1	3.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing parent permission checks in the authorization flow. The commit adds critical parent permission verification logic specifically in the hasPermission method of RoleMap$AclImpl, including new checks for ItemGroup parent permissions when handling READ/DISCOVER requests. The test cases in Security2182Test.java validate() that parent permissions are now required, confirming the vulnerability existed in this authorization pathway. The system property escape hatch further confirms this was the focal point of the security fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It*ms (lik* jo*s) **n ** or**niz** *i*r*r**i**lly in J*nkins, usin* t** *ol**rs Plu*in or som*t*in* simil*r. *n it*m is *xp**t** to ** ****ssi*l* only i* *ll its *n**stors *r* ****ssi*l* *s w*ll. Rol*-**s** *ut*oriz*tion Str*t**y Plu*in *.* *n* **rl

Reasoning

T** vuln*r**ility st*ms *rom missin* p*r*nt p*rmission ****ks in t** *ut*oriz*tion *low. T** *ommit ***s *riti**l p*r*nt p*rmission v*ri*i**tion lo*i* sp**i*i**lly in t** `**sP*rmission` m*t*o* o* `Rol*M*p$**lImpl`, in*lu*in* n*w ****ks *or `It*m*rou

4.3

Basic Information

Concerned about an active attack path?

CVE-2021-21624: Incorrect permission checks in Jenkins Role-based Authorization Strategy Plugin may allow accessing some items

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI