Description
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.
Remediation
References
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047
Related Vulnerabilities
CVE-2017-12632 Vulnerability in maven package org.apache.nifi:nifi
CVE-2016-9879 Vulnerability in maven package org.springframework.security:spring-security-web
CVE-2013-4152 Vulnerability in maven package org.springframework:spring-web
CVE-2020-2142 Vulnerability in maven package org.jenkins-ci.plugins:p4
CVE-2019-1003070 Vulnerability in maven package org.jenkins-ci.plugins:veracode-scanner