Access Control Flaw in Jenkins P4 Plugin by Jenkins
CVE-2021-21654

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins P4 Plugin
Vendor: CVE Published:; 11 May 2021

Summary

The Jenkins P4 Plugin versions prior to 1.11.4 lack proper permission checks across several HTTP endpoints. This oversight enables attackers who possess Overall/Read privileges to initiate connections to a Perforce server of their choice, leveraging any username and password specified by the attacker. This flaw jeopardizes the integrity and confidentiality of data managed by the Perforce server.

Affected Version(s)

Jenkins P4 Plugin <= 1.11.4

References

https://www.jenkins.io/security/advisory/2021-05-11/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 11, 2021
Vulnerability Reserved
Jan 4, 2021