jenkins: Multiple vulnerabilities (CVE-2021-21639, CVE-2021-21640)

CVE-2021-21639: Lack of type validation in agent related REST API

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API endpoint of a node.

This allows attackers with Computer/Configure permission to replace a node with one of a different type. Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects objects of unexpected types.

CVE-2021-21640: View name validation bypass

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name. When a form to create a view is submitted, the name is included twice in the submission. One instance is validated, but the other instance is used to create the value.

This allows attackers with View/Create permission to create views with invalid or already-used names. Jenkins 2.287, LTS 2.277.2 uses the same submitted value for validation and view creation.

References:

• https://www.jenkins.io/security/advisory/2021-04-07/
• https://www.openwall.com/lists/oss-security/2021/04/07/2

Affected branches:

• master (ca8736b9)
• 3.13-stable