cbcvebase.
CVE-2021-21659
published 2021-05-25

CVE-2021-21659: Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

PriorityP263high8.1CVSS 3.1
AVNACLPRLUINSUCHINAH
EPSS
66.77%
99.2th percentile
Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Affected

6 ranges
VendorProductVersion rangeFixed in
jenkinsfilesystem_trigger_plugin
jenkinsmarkdown_formatter_plugin
jenkinsnuget_plugin
jenkinsurltrigger<= 0.48
jenkinsurltrigger_plugin
jenkins_projectjenkins_urltrigger_pluginunspecified – 0.48

Detection & IOCsextracted from sources · hover to see the quote

  • XXE attack vector targets Jenkins URLTrigger Plugin 0.48 and earlier; attacker must have Job/Configure permission or control the contents of a URL pointing to an XML document being polled for changes
  • ·URLTrigger Plugin 0.48 and earlier does not disable external entity resolution in its XML parser, making it vulnerable to XXE. Version 0.49 applies the fix.
  • ·URLTrigger Plugin 0.49 disables external entity resolution for its XML parser; upgrade to this version to remediate CVE-2021-21659.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.