AccessDeniedException vulnerabilities when anonymous is not granted Read access

Issue

I cannot login to Jenkins. The Jenkins logs shows an exception similar to

Caused by: org.acegisecurity.AccessDeniedException: Please login to access job <itemName>
    at jenkins.model.Jenkins.getItem(Jenkins.java:2399)
    at jenkins.model.Jenkins.getItem(Jenkins.java:307)
    at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2505)
    at hudson.model.Run.fromExternalizableId(Run.java:2282)
    at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.runForDisplay(ExecutorStepExecution.java:307)
    at sun.reflect.GeneratedMethodAccessor959.invoke(Unknown Source)

Upstream builds succeed but build logs show the following exception:

Notifying upstream projects of job completion
FATAL: Please login to access job upstream
org.acegisecurity.AccessDeniedException: Please login to access job <itemName>
at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
at jenkins.model.Jenkins.getItem(Jenkins.java:324)
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
at hudson.model.Run.execute(Run.java:1775)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:404)

Environment

Jenkins
Jenkins LTS
CloudBees Jenkins Enterprise (CJE)
CloudBees Request Filter plugin

Issues Related

JENKINS-42556 for PlaceholderTask.runForDisplay
JENKINS-42577 for ReverseBuildTrigger.shouldTrigger
JENKINS-42586 for OldDataMonitor.referTo
JENKINS-42707

Resolution

This happens when anonymous is granted the permissions Overall/Read and Item/Discover but not Item/Read. This a mode that is used to force login redirects from job URLs. You can find more information about this in the article Q&A: Setting Up Role-based Access Control

The stacktrace may actually exposes a bug for a particular component in Jenkins that does not impersonate as SYSTEM user when accessing an item. A non-exhaustive list of issues is mentioned above. Please check on these Jira to check if there is a fix implemented for it. If you are seeing a similar stacktrace as Please login to access job <itemName> but for a different component/scenario, please open a new Support request for review or directly file a new issue in Jira.

Otherwise, a workaround is to remove the Item/Discover permission from the anonymous user.