CVE-2021-21607 — Allocation of Resources Without Limits or Throttling in Project Jenkins

CWE-770 — Allocation of Resources Without Limits or Throttling6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 43.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Jenkins

Timeline

PublishedJan 13

Latest updateMay 24

Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDjenkins/jenkins2.263.1+1

▶CVEListV5jenkins_project/jenkinsunspecified — 2.274+1

🔴Vulnerability Details

OSV

Excessive memory allocation in graph URLs leads to denial of service in Jenkins↗2022-05-24

▶

GHSA

Excessive memory allocation in graph URLs leads to denial of service in Jenkins↗2022-05-24

▶

CVEList

CVE-2021-21607: Jenkins 2↗2021-01-13

▶

📋Vendor Advisories

Red Hat

jenkins: Excessive memory allocation in graph URLs leads to denial of service↗2021-01-13

▶

Jenkins

Jenkins Security Advisory 2021-01-13↗2021-01-13

▶