Privilege escalation vulnerability in bundled Spring Security library
SECURITY-2195 / CVE-2021-22112
Spring Security 5.4.3 and earlier has a vulnerability that unintentionally persisted temporarily elevated privileges in some circumstances in a user’s session. This issue, CVE-2021-22112, is resolved in Spring Security 5.4.4.
Jenkins 2.266 through 2.279 (inclusive) included releases of Spring Security with this vulnerability.
We are aware of a sequence of operations in Jenkins 2.275 through 2.278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their identity to SYSTEM, an internal user with all permissions.
Jenkins 2.280 integrates Spring Security 5.4.4, which includes a fix for CVE-2021-22112.
We recommend that all Jenkins instances running Jenkins releases 2.266 through 2.279 (inclusive) are upgraded to 2.280. Administrators of instances running Jenkins releases 2.275 through 2.278 (inclusive) who cannot upgrade to a fixed version are advised to apply the short-term workaround of removing Job/Workspace permission from all non-admin users.
As no CloudBees product is based on the affected Jenkins versions CloudBees users are not affected by this vulnerability