Moderate severityNVD Advisory· Published May 11, 2021· Updated Aug 3, 2024
CVE-2021-21650
CVE-2021-21650
Description
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:s3Maven | >= 0.11.6, < 0.11.7 | 0.11.7 |
org.jenkins-ci.plugins:s3Maven | < 0.11.5.1 | 0.11.5.1 |
Affected products
1- Range: unspecified
Patches
1a146c28c849f[SECURITY-2200]
2 files changed · +19 −3
src/main/java/hudson/plugins/s3/S3ArtifactsAction.java+14 −2 modified@@ -3,6 +3,7 @@ import java.io.File; import java.io.IOException; +import java.util.Collections; import java.util.Date; import java.util.List; @@ -11,6 +12,7 @@ import com.amazonaws.services.s3.AmazonS3Client; import com.amazonaws.services.s3.model.GeneratePresignedUrlRequest; import com.amazonaws.services.s3.model.ResponseHeaderOverrides; +import hudson.Functions; import jenkins.model.RunAction2; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; @@ -39,15 +41,19 @@ public S3ArtifactsAction(Run<?, ?> run, S3Profile profile, List<FingerprintRecor } public String getIconFileName() { - return "fingerprint.png"; + return hasAccess() ? "fingerprint.png" : null; } public String getDisplayName() { return "S3 Artifacts"; } public String getUrlName() { - return "s3"; + return hasAccess() ? "s3" : null; + } + + private boolean hasAccess () { + return !Functions.isArtifactsPermissionEnabled() || build.getParent().hasPermission(Run.ARTIFACTS); } @Override @@ -63,10 +69,16 @@ public String getProfile() { @Exported public List<FingerprintRecord> getArtifacts() { + if (!hasAccess()) { + return Collections.emptyList(); + } return artifacts; } public void doDownload(final StaplerRequest request, final StaplerResponse response) throws IOException, ServletException { + if (Functions.isArtifactsPermissionEnabled()) { + build.getParent().checkPermission(Run.ARTIFACTS); + } final String restOfPath = request.getRestOfPath(); if (restOfPath == null) { return;
src/main/java/hudson/plugins/s3/S3ArtifactsProjectAction.java+5 −1 modified@@ -2,6 +2,7 @@ import java.util.List; +import hudson.Functions; import hudson.model.Action; import hudson.model.AbstractProject; import hudson.model.Run; @@ -20,6 +21,9 @@ private Run getLastSuccessfulBuild() { @SuppressWarnings("unused") public S3ArtifactsAction getLatestDeployedArtifacts() { + if (Functions.isArtifactsPermissionEnabled() && !project.hasPermission(Run.ARTIFACTS)) { + return null; + } Run latestSuccessfulBuild = getLastSuccessfulBuild(); if (latestSuccessfulBuild == null) { return null; @@ -51,4 +55,4 @@ public String getDisplayName() { public String getUrlName() { return null; } -} \ No newline at end of file +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fvfc-8pqr-wjpvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21650ghsaADVISORY
- github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2021/21xxx/CVE-2021-21650.jsonghsaWEB
- github.com/jenkinsci/s3-plugin/commit/a146c28c849ffe643ece46eaa5940d1fd6ab048eghsaWEB
- www.jenkins.io/security/advisory/2021-05-11/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.