A security issue was found in Jenkins 2.275 through 2.278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their identity to SYSTEM, an internal user with all permissions. The issue is caused by an embedded copy of Spring Security, which in version 5.4.3 and earlier has a vulnerability that unintentionally persisted temporarily elevated privileges in some circumstances in a user’s session. Jenkins 2.280 integrates Spring Security 5.4.4, which includes a fix for this issue. Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users.
A security issue was found in Jenkins 2.275 through 2.278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their identity to SYSTEM, an internal user with all permissions. The issue is caused by an embedded copy of Spring Security, which in version 5.4.3 and earlier has a vulnerability that unintentionally persisted temporarily elevated privileges in some circumstances in a user’s session. Jenkins 2.280 integrates Spring Security 5.4.4, which includes a fix for this issue. Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users.
https://www.jenkins.io/security/advisory/2021-02-19/#SECURITY-2195 https://github.com/jenkinsci/jenkins/pull/5285 https://github.com/jenkinsci/jenkins/commit/bc3052f32807232ba1c3aa8957ca55a06d84cbe3
Workaround ========== Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users.
Vulmon