CVE-2021-21644
published 2021-04-21CVE-2021-21644: A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files…
PriorityP421medium5.4CVSS 3.1
AVNACLPRNUIRSUCNILAL
EPSS
1.05%
60.1th percentile
A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | cloudbees_cd_plugin | — | — |
| jenkins | config_file_provider | <= 3.7.0 | — |
| jenkins | config_file_provider_plugin | — | — |
| jenkins | ids_in_config_file_provider_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins | templating_engine_plugin | — | — |
| jenkins_project | jenkins_config_file_provider_plugin | unspecified – 3.7.0 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:P
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
ghsa·2022-05-24
CVE-2021-21644 [MEDIUM] CWE-352 CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID.
This is due to an incomplete fix of [SECURITY-938](https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-938).
Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.
OSV
CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
osv·2022-05-24
CVE-2021-21644 [MEDIUM] CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID.
This is due to an incomplete fix of [SECURITY-938](https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-938).
Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.
Jenkins
Jenkins Security Advisory 2021-04-21
vendor_jenkins·2021-04-21·CVSS 8.1
CVE-2021-21642 [HIGH] Jenkins Security Advisory 2021-04-21
Title: Jenkins Security Advisory 2021-04-21
Jenkins Security Advisory 2021-04-21
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
CloudBees CD
Plugin
Config File Provider
Plugin
Templating Engine
Plugin
Descriptions
XXE vulnerability in Config File Provider Plugin
SECURITY-2204
/
CVE-2021-21642
Severity
Red Hat
jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
vendor_redhat·2021-04-21·CVSS 5.4
CVE-2021-21644 [MEDIUM] CWE-352 jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.
A cross-site request forgery (CSRF) vulnerability was found in the config-file-provider Jenkins plugin. The plugin does not require POST requests for an HTTP endpoint which allows attackers to delete configuration files corresponding to an attacker-specified ID.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-04-21
Published