CVE-2021-21630
published 2021-03-30CVE-2021-21630: Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS)…
PriorityP341medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
72.39%
99.4th percentile
Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | build_with_parameters_plugin | — | — |
| jenkins | cloud_statistics_plugin | — | — |
| jenkins | extra_columns | <= 1.22 | — |
| jenkins | extra_columns_plugin | — | — |
| jenkins | owasp_dependency-track_plugin | — | — |
| jenkins | rest_list_parameter_plugin | — | — |
| jenkins | team_foundation_server_plugin | — | — |
| jenkins_project | jenkins_extra_columns_plugin | unspecified – 1.22 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Stored XSS vulnerability in Jenkins Extra Columns Plugin
ghsa·2022-05-24
CVE-2021-21630 [MEDIUM] CWE-79 Stored XSS vulnerability in Jenkins Extra Columns Plugin
Stored XSS vulnerability in Jenkins Extra Columns Plugin
Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Additionally, a view containing such a job needs to be configured with the build parameters column, or the attacker also needs View/Configure permission.
Jenkins Extra Columns Plugin 1.23 escapes parameter values in the build parameters column.
OSV
Stored XSS vulnerability in Jenkins Extra Columns Plugin
osv·2022-05-24
CVE-2021-21630 [MEDIUM] Stored XSS vulnerability in Jenkins Extra Columns Plugin
Stored XSS vulnerability in Jenkins Extra Columns Plugin
Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Additionally, a view containing such a job needs to be configured with the build parameters column, or the attacker also needs View/Configure permission.
Jenkins Extra Columns Plugin 1.23 escapes parameter values in the build parameters column.
Jenkins
Jenkins Security Advisory 2021-03-30
vendor_jenkins·2021-03-30·CVSS 5.4
CVE-2021-21628 [MEDIUM] Jenkins Security Advisory 2021-03-30
Title: Jenkins Security Advisory 2021-03-30
Jenkins Security Advisory 2021-03-30
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Build With Parameters
Plugin
Cloud Statistics
Plugin
Extra Columns
Plugin
Jabber (XMPP) notifier and control
Plugin
OWASP Dependency-Track
Plugin
REST List Parameter
Pl
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-03-30
Published