Vulnerability in Jenkins

[Daniel Beck <ml () beckweb net>]

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.280

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2021-02-19/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2195 / CVE-2021-22112
Spring Security 5.4.3 and earlier has a vulnerability that unintentionally
persisted temporarily elevated privileges in some circumstances in a user's
session. This issue, CVE-2021-22112, is resolved in Spring Security 5.4.4.

Jenkins 2.266 through 2.279 (inclusive) include releases of Spring
Security with this vulnerability.

We are aware of a sequence of operations in Jenkins 2.275 through 2.278
(inclusive) that allows attackers with Job/Workspace permission to exploit
this to switch their identity to SYSTEM, an internal user with all
permissions.