VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-4xxt-zn4e-fqg7

Essentials
Severities (24)
References (10)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-4xxt-zn4e-fqg7
Aliases	CVE-2021-21623 GHSA-96jw-3xw4-mq9p
Summary	Incorrect permission checks in Jenkins Matrix Authorization Strategy Plugin may allow accessing some items Items (like jobs) can be organized hierarchically in Jenkins, using the Folders Plugin or something similar. An item is expected to be accessible only if all its ancestors are accessible as well. Matrix Authorization Strategy Plugin 2.6.5 and earlier does not correctly perform permission checks to determine whether an item should be accessible. This allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.\n\nMatrix Authorization Strategy Plugin 2.6.6 requires Item/Read permission on parent items to grant Item/Read permission on an individual item. As a workaround in older releases, do not grant permissions on individual items to users who do not have access to parent items. In case of problems, the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.security.AuthorizationMatrixProperty.checkParentPermissions` can be set to false, completely disabling this fix.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-863	Incorrect Authorization
CWE-273	Improper Check for Dropped Privileges
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21623.json
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2021-21623
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-96jw-3xw4-mq9p
cvssv3.1	6.5	https://github.com/jenkinsci/matrix-auth-plugin
generic_textual	MODERATE	https://github.com/jenkinsci/matrix-auth-plugin
cvssv3.1	6.5	https://github.com/jenkinsci/matrix-auth-plugin/commit/bbe358575155912b818ab3c6e8b9623f21ad3418
generic_textual	MODERATE	https://github.com/jenkinsci/matrix-auth-plugin/commit/bbe358575155912b818ab3c6e8b9623f21ad3418
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2021-21623
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2021-21623
cvssv3.1	6.5	https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180
generic_textual	MODERATE	https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180
cvssv3.1	6.5	http://www.openwall.com/lists/oss-security/2021/03/18/5
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2021/03/18/5

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21623.json
		https://api.first.org/data/v1/epss?cve=CVE-2021-21623
		https://github.com/jenkinsci/matrix-auth-plugin
		https://github.com/jenkinsci/matrix-auth-plugin/commit/bbe358575155912b818ab3c6e8b9623f21ad3418
		https://nvd.nist.gov/vuln/detail/CVE-2021-21623
		https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180
		http://www.openwall.com/lists/oss-security/2021/03/18/5
1940489		https://bugzilla.redhat.com/show_bug.cgi?id=1940489
GHSA-96jw-3xw4-mq9p		https://github.com/advisories/GHSA-96jw-3xw4-mq9p
RHSA-2021:2437		https://access.redhat.com/errata/RHSA-2021:2437

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21623.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/jenkinsci/matrix-auth-plugin

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/jenkinsci/matrix-auth-plugin/commit/bbe358575155912b818ab3c6e8b9623f21ad3418

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-21623

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2180

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2021/03/18/5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.27735
EPSS Score	0.001
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:11:43.081297+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-96jw-3xw4-mq9p/GHSA-96jw-3xw4-mq9p.json	38.0.0