CVE-2021-21659
published 2021-05-25CVE-2021-21659: Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
PriorityP263high8.1CVSS 3.1
AVNACLPRLUINSUCHINAH
EPSS
66.77%
99.2th percentile
Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | filesystem_trigger_plugin | — | — |
| jenkins | markdown_formatter_plugin | — | — |
| jenkins | nuget_plugin | — | — |
| jenkins | urltrigger | <= 0.48 | — |
| jenkins | urltrigger_plugin | — | — |
| jenkins_project | jenkins_urltrigger_plugin | unspecified – 0.48 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →XXE attack vector targets Jenkins URLTrigger Plugin 0.48 and earlier; attacker must have Job/Configure permission or control the contents of a URL pointing to an XML document being polled for changes ↗
- ·URLTrigger Plugin 0.48 and earlier does not disable external entity resolution in its XML parser, making it vulnerable to XXE. Version 0.49 applies the fix. ↗
- ·URLTrigger Plugin 0.49 disables external entity resolution for its XML parser; upgrade to this version to remediate CVE-2021-21659. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XXE vulnerability in Jenkins URLTrigger Plugin
ghsa·2022-05-24
CVE-2021-21659 [HIGH] CWE-611 XXE vulnerability in Jenkins URLTrigger Plugin
XXE vulnerability in Jenkins URLTrigger Plugin
Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined for changes to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the polling Jenkins controller or agent, server-side request forgery, or denial-of-service attacks.
UJenkins RLTrigger Plugin 0.49 disables external entity resolution for its XML parser.
OSV
XXE vulnerability in Jenkins URLTrigger Plugin
osv·2022-05-24
CVE-2021-21659 [HIGH] XXE vulnerability in Jenkins URLTrigger Plugin
XXE vulnerability in Jenkins URLTrigger Plugin
Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined for changes to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the polling Jenkins controller or agent, server-side request forgery, or denial-of-service attacks.
UJenkins RLTrigger Plugin 0.49 disables external entity resolution for its XML parser.
Jenkins
Jenkins Security Advisory 2021-05-25
vendor_jenkins·2021-05-25·CVSS 8.8
CVE-2021-21657 [HIGH] Jenkins Security Advisory 2021-05-25
Title: Jenkins Security Advisory 2021-05-25
Jenkins Security Advisory 2021-05-25
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Filesystem Trigger
Plugin
Markdown Formatter
Plugin
Nuget
Plugin
URLTrigger
Plugin
Descriptions
XXE vulnerability in Filesystem Trigger Plugin
SECURITY-2339
/
CVE-2021-21657
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-05-25
Published