{
  "threat_severity" : "Moderate",
  "public_date" : "2021-03-18T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins-2-plugins/matrix-auth: Incorrect permission checks in Matrix Authorization Strategy Plugin",
    "id" : "1940489",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1940489"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-273",
  "details" : [ "An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.", "A flaw was found in Jenkins Matrix Authorization Strategy Plugin. The jenkins plugin does not correctly perform permission checks, as consequences this allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders. The highest threat from this vulnerability is to data confidentiality." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.8",
    "release_date" : "2021-07-27T00:00:00Z",
    "advisory" : "RHSA-2021:2437",
    "cpe" : "cpe:/a:redhat:openshift:4.8::el8",
    "package" : "jenkins-0:2.289.1.1624020353-1.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Out of support scope",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-21623\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21623\nhttps://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180" ],
  "name" : "CVE-2021-21623",
  "csaw" : false
}