CVE-2021-21604
published 2021-01-13CVE-2021-21604: Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old…
PriorityP340high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
1.68%
74.0th percentile
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | anything_goes_formatter_plugin | — | — |
| jenkins | bumblebee_hp_alm_plugin | — | — |
| jenkins | jenkins | <= 2.263.1 | — |
| jenkins | jenkins | <= 2.274 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | tics_plugin | — | — |
| jenkins_project | jenkins | unspecified – 2.274 | — |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_redhat8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jenkins: Improper handling of REST API XML deserialization errors
vendor_redhat·2021-01-13·CVSS 8.0
CVE-2021-21604 [HIGH] CWE-502 jenkins: Improper handling of REST API XML deserialization errors
jenkins: Improper handling of REST API XML deserialization errors
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.
A flaw was found in jenkins. An attacker with permission to create or configure various objects to inject crafted content into Old Data Monitor can cause the instantiation of potentially unsafe objects once discarded by an administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Package: jenkins (Red Hat Fuse 7) - Not affected
Jenkins
Jenkins Security Advisory 2021-01-13
vendor_jenkins·2021-01-13·CVSS 5.4
CVE-2018-1000862 [MEDIUM] Jenkins Security Advisory 2021-01-13
Title: Jenkins Security Advisory 2021-01-13
Jenkins Security Advisory 2021-01-13
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Bumblebee HP ALM
Plugin
TICS
Plugin
tracetronic ecu.test
Plugin
Descriptions
XSS vulnerability in notification bar
SECURITY-1889
/
CVE-2021-21603
Severity (CV
OSV
Improper handling of REST API XML deserialization errors in Jenkins
osv·2022-05-24
CVE-2021-21604 [HIGH] Improper handling of REST API XML deserialization errors in Jenkins
Improper handling of REST API XML deserialization errors in Jenkins
Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.
This allows attackers with View/Create, Job/Create, Agent/Create, or their respective */Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.\n\nJenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymor
GHSA
Improper handling of REST API XML deserialization errors in Jenkins
ghsa·2022-05-24
CVE-2021-21604 [HIGH] CWE-502 Improper handling of REST API XML deserialization errors in Jenkins
Improper handling of REST API XML deserialization errors in Jenkins
Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.
This allows attackers with View/Create, Job/Create, Agent/Create, or their respective */Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.\n\nJenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymor
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-01-13
Published