CVE-2021-21648

CWE-79 — Cross-site Scripting (XSS)6 documents6 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 45.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Credentials Plugin Jenkins Credentials

Timeline

PublishedMay 11

Latest updateJun 16

Description

Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:credentials2.3.16 — 2.3.19+5

▶CVEListV5jenkins_project/jenkins_credentials_pluginunspecified — 2.3.18

▶NVDjenkins/credentials2.3.18

🔴Vulnerability Details

GHSA

Cross-Site Request Forgery in Jenkins Credentials Plugin↗2021-06-16

▶

OSV

Cross-Site Request Forgery in Jenkins Credentials Plugin↗2021-06-16

▶

CVEList

CVE-2021-21648: Jenkins Credentials Plugin 2↗2021-05-11

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2021-05-11↗2021-05-11

▶

Red Hat

jenkins-2-plugins/credentials: Reflected XSS vulnerability in Credentials Plugin↗2021-05-11

▶