Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-4xxt-zn4e-fqg7
Summary
Incorrect permission checks in Jenkins Matrix Authorization Strategy Plugin may allow accessing some items
Items (like jobs) can be organized hierarchically in Jenkins, using the Folders Plugin or something similar. An item is expected to be accessible only if all its ancestors are accessible as well.

Matrix Authorization Strategy Plugin 2.6.5 and earlier does not correctly perform permission checks to determine whether an item should be accessible.

This allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.\n\nMatrix Authorization Strategy Plugin 2.6.6 requires Item/Read permission on parent items to grant Item/Read permission on an individual item.

As a workaround in older releases, do not grant permissions on individual items to users who do not have access to parent items.

In case of problems, the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.security.AuthorizationMatrixProperty.checkParentPermissions` can be set to false, completely disabling this fix.
Aliases
0
alias CVE-2021-21623
1
alias GHSA-96jw-3xw4-mq9p
Fixed_packages
0
url pkg:maven/org.jenkins-ci.plugins/matrix-auth@2.6.6
purl pkg:maven/org.jenkins-ci.plugins/matrix-auth@2.6.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/matrix-auth@2.6.6
Affected_packages
0
url pkg:maven/org.jenkins-ci.plugins/matrix-auth@2.6.5
purl pkg:maven/org.jenkins-ci.plugins/matrix-auth@2.6.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4xxt-zn4e-fqg7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/matrix-auth@2.6.5
1
url pkg:rpm/redhat/jenkins@2.289.1.1624020353-1?arch=el8
purl pkg:rpm/redhat/jenkins@2.289.1.1624020353-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4xxt-zn4e-fqg7
1
vulnerability VCID-9prj-5zwe-7kc5
2
vulnerability VCID-dkr2-9c7r-q3g9
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.289.1.1624020353-1%3Farch=el8
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21623.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21623.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21623
reference_id
reference_type
scores
0
value 0.001
scoring_system epss
scoring_elements 0.2756
published_at 2026-04-21T12:55:00Z
1
value 0.001
scoring_system epss
scoring_elements 0.27735
published_at 2026-04-01T12:55:00Z
2
value 0.001
scoring_system epss
scoring_elements 0.27773
published_at 2026-04-02T12:55:00Z
3
value 0.001
scoring_system epss
scoring_elements 0.27811
published_at 2026-04-04T12:55:00Z
4
value 0.001
scoring_system epss
scoring_elements 0.27603
published_at 2026-04-07T12:55:00Z
5
value 0.001
scoring_system epss
scoring_elements 0.2767
published_at 2026-04-08T12:55:00Z
6
value 0.001
scoring_system epss
scoring_elements 0.27713
published_at 2026-04-09T12:55:00Z
7
value 0.001
scoring_system epss
scoring_elements 0.27717
published_at 2026-04-11T12:55:00Z
8
value 0.001
scoring_system epss
scoring_elements 0.27674
published_at 2026-04-12T12:55:00Z
9
value 0.001
scoring_system epss
scoring_elements 0.27615
published_at 2026-04-13T12:55:00Z
10
value 0.001
scoring_system epss
scoring_elements 0.27625
published_at 2026-04-16T12:55:00Z
11
value 0.001
scoring_system epss
scoring_elements 0.27599
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21623
2
reference_url https://github.com/jenkinsci/matrix-auth-plugin
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/matrix-auth-plugin
3
reference_url https://github.com/jenkinsci/matrix-auth-plugin/commit/bbe358575155912b818ab3c6e8b9623f21ad3418
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/matrix-auth-plugin/commit/bbe358575155912b818ab3c6e8b9623f21ad3418
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21623
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21623
5
reference_url https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180
6
reference_url http://www.openwall.com/lists/oss-security/2021/03/18/5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/03/18/5
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1940489
reference_id 1940489
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1940489
8
reference_url https://github.com/advisories/GHSA-96jw-3xw4-mq9p
reference_id GHSA-96jw-3xw4-mq9p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-96jw-3xw4-mq9p
9
reference_url https://access.redhat.com/errata/RHSA-2021:2437
reference_id RHSA-2021:2437
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2437
Weaknesses
0
cwe_id 863
name Incorrect Authorization
description The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
1
cwe_id 273
name Improper Check for Dropped Privileges
description The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
3
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-4xxt-zn4e-fqg7