Bug 1931453 (CVE-2021-22112)

Summary: CVE-2021-22112 jenkins: Privilege escalation vulnerability in bundled Spring Security library
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, aileenc, aos-bugs, bmontgom, chazlett, drieden, eparis, ggaughan, gmalinko, janstey, jburrell, jochrist, jokerman, jwon, nstielau, pbhattac, sponnaga, vbobade
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins 2.280 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jenkins. Unintentional persisted temporary elevated privileges in some circumstances in a user's session can occur in Spring Security. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-01 13:02:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1931454    

Description Pedro Sampaio 2021-02-22 13:03:35 UTC 
A flaw was found in Spring Security 5.4.3 and earlier where a vulnerability that unintentionally persisted temporarily elevated privileges in some circumstances in a user’s session.

References:

https://www.jenkins.io/security/advisory/2021-02-19/
Comment 1 Przemyslaw Roguski 2021-02-22 20:46:26 UTC 
This vulnerability affects only Jenkins regular (weekly) releases.
In the Jenkins LTS the Spring Security package is not included, hence Jenkins LTS version is not affected by this flaw. 

In Jenkins 2.280 the fixed version of Spring Security 5.4.4 has been bundled and in this way a fix for the Spring Security flaw (CVE-2021-22112) has been shipped.
Comment 3 Vibhav Bobade 2021-02-23 07:31:52 UTC 
Hi Przemyslaw,

Thank you for looking into this and providing clarity on the affected package. Considering that the fix doesn't have to be provided to the LTS releases that we provide, can we close this bug ?
Comment 4 Eric Christensen 2021-02-23 15:19:34 UTC 
External References:

https://www.jenkins.io/security/advisory/2021-02-19/
Comment 5 Product Security DevOps Team 2021-03-01 13:02:00 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22112