Miggo Logo

CVE-2021-21650: Missing Authorization in Jenkins S3 publisher Plugin

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.14692%
Published
6/16/2021
Updated
12/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:s3maven= 0.11.60.11.7
org.jenkins-ci.plugins:s3maven< 0.11.5.10.11.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows added permission checks in these methods. The vulnerability stems from missing Run.ARTIFACTS checks in: 1) getArtifacts() which returns artifact metadata, 2) doDownload() which handles file downloads, and 3) getLatestDeployedArtifacts() which provides project-level artifact info. The patch added explicit permission verification in all these endpoints, confirming they were previously vulnerable access points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins S* pu*lis**r Plu*in prior to *.**.* *n* *.**.*.* *o*s not p*r*orm Run/*rti***ts p*rmission ****ks in v*rious *TTP *n*points *n* *PI mo**ls. T*is *llows *tt**k*rs wit* It*m/R*** p*rmission to o*t*in in*orm*tion **out *rti***ts uplo**** to S*,

Reasoning

T** *ommit *i** s*ows ***** p*rmission ****ks in t**s* m*t*o*s. T** vuln*r**ility st*ms *rom missin* `Run.*RTI***TS` ****ks in: *) `**t*rti***ts()` w*i** r*turns *rti***t m*t***t*, *) `*o*ownlo**()` w*i** **n*l*s *il* *ownlo**s, *n* *) `**tL*t*st**pl