vulnerability

Jenkins Advisory 2021-02-19: CVE-2021-22112: Privilege escalation vulnerability in bundled Spring Security library

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:L/Au:S/C:C/I:C/A:C)	Feb 23, 2021	Dec 2, 2021	Jul 12, 2022

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:C/A:C)

Published

Feb 23, 2021

Added

Dec 2, 2021

Modified

Jul 12, 2022

Description

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Solution

jenkins-upgrade-2_280

References

CVE-2021-22112
https://attackerkb.com/topics/CVE-2021-22112
URL-https://jenkins.io/security/advisory/2021-02-19/

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today