CVE-2021-21639
published 2021-04-07CVE-2021-21639: Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API…
PriorityP426medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
2.73%
84.2th percentile
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins | <= 2.277.1 | — |
| jenkins | jenkins | <= 2.286 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | opentext_application_automation_tools_plugin | — | — |
| jenkins_project | jenkins | unspecified – 2.286 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Lack of type validation in agent related REST API in Jenkins
ghsa·2022-05-24
CVE-2021-21639 [MEDIUM] CWE-20 Lack of type validation in agent related REST API in Jenkins
Lack of type validation in agent related REST API in Jenkins
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node.
This allows attackers with Computer/Configure permission to replace a node with one of a different type.
Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects objects of unexpected types.
OSV
Lack of type validation in agent related REST API in Jenkins
osv·2022-05-24
CVE-2021-21639 [MEDIUM] Lack of type validation in agent related REST API in Jenkins
Lack of type validation in agent related REST API in Jenkins
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node.
This allows attackers with Computer/Configure permission to replace a node with one of a different type.
Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects objects of unexpected types.
Red Hat
jenkins: lack of type validation in agent related REST API
vendor_redhat·2021-04-07·CVSS 4.3
CVE-2021-21639 [MEDIUM] CWE-20 jenkins: lack of type validation in agent related REST API
jenkins: lack of type validation in agent related REST API
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.
A flaw was found in Jenkins. Due to lack of validation of type of object created after loading the data submitted to the config.xml REST API endpoint of a node, an attackers with Computer/Configure permission are able to replace a node with one of a different type.
Package: jenkins (Red Hat Fuse 7) - Not affected
Package: jenkins (Red Hat OpenShift Container Platform 3.11) - Fix deferred
Jenkins
Jenkins Security Advisory 2021-04-07
vendor_jenkins·2021-04-07·CVSS 4.3
CVE-2021-21639 [MEDIUM] Jenkins Security Advisory 2021-04-07
Title: Jenkins Security Advisory 2021-04-07
Jenkins Security Advisory 2021-04-07
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
OpenText Application Automation Tools
Plugin
promoted builds
Plugin
Descriptions
Lack of type validation in agent related REST API
SECURITY-1721
/
CVE-2021-21639
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-04-07
Published