CVE-2021-21604

CWE-502Deserialization of Untrusted Data6 documents6 sources
Severity
8.0HIGH
EPSS
0.8%
top 25.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project JenkinsJenkins Jenkins
Timeline
PublishedJan 13
Latest updateMay 24

Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages3 packages

Mavenorg.jenkins-ci.main:jenkins-core2.2642.275+1
NVDjenkins/jenkins2.263.1+1
CVEListV5jenkins_project/jenkinsunspecified2.274+1

🔴Vulnerability Details

3
OSV
Improper handling of REST API XML deserialization errors in Jenkins2022-05-24
GHSA
Improper handling of REST API XML deserialization errors in Jenkins2022-05-24
CVEList
CVE-2021-21604: Jenkins 22021-01-13

📋Vendor Advisories

2
Red Hat
jenkins: Improper handling of REST API XML deserialization errors2021-01-13
Jenkins
Jenkins Security Advisory 2021-01-132021-01-13
CVE-2021-21604 (HIGH CVSS 8) | Jenkins 2.274 and earlier | cvebase.io