{"id":"CVE-2021-21624","details":"An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.","aliases":["GHSA-rm4m-39fj-288c"],"modified":"2026-04-12T01:01:36.702913Z","published":"2021-03-18T14:15:13.350Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/03/18/5"},{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2182"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/role-strategy-plugin","events":[{"introduced":"0"},{"last_affected":"f8b312769e23095f10d73f78297a0cf1c76be1d8"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"3.1"}],"cpe":"cpe:2.3:a:jenkins:role-based_authorization_strategy:*:*:*:*:*:jenkins:*:*"}}],"versions":["role-strategy-1.1.3","role-strategy-2.1.0","role-strategy-2.10","role-strategy-2.11","role-strategy-2.12","role-strategy-2.13","role-strategy-2.14","role-strategy-2.15","role-strategy-2.16","role-strategy-2.2.0","role-strategy-2.3.0","role-strategy-2.3.1","role-strategy-2.3.2","role-strategy-2.4.0","role-strategy-2.5.0","role-strategy-2.5.1","role-strategy-2.6.0","role-strategy-2.6.1","role-strategy-2.7.0","role-strategy-2.8.0","role-strategy-2.8.1","role-strategy-2.8.2","role-strategy-2.9.0","role-strategy-3.0","role-strategy-3.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21624.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}