CVE-2021-21668
published 2021-06-16CVE-2021-21668: Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by…
PriorityP342medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
76.02%
99.5th percentile
Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | scriptler | <= 3.1 | — |
| jenkins | scriptler_plugin | — | — |
| jenkins_project | jenkins_scriptler_plugin | unspecified – 3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Stored XSS in Scriptler Plugin 3.1 and earlier: script content is not escaped, exploitable by users with Scriptler/Configure permission. Monitor for script submissions containing unsanitized HTML/JS payloads via the Scriptler configuration interface. ↗
- ·Exploitation requires the attacker to have Scriptler/Configure permission on the Jenkins instance; this is not an unauthenticated attack vector. ↗
- ·Only Scriptler Plugin versions up to and including 3.1 are affected by CVE-2021-21668; version 3.2 introduces escaping of script content and is the fix. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2021-06-16
vendor_jenkins·2021-06-16·CVSS 5.4
CVE-2021-21667 [MEDIUM] Jenkins Security Advisory 2021-06-16
Title: Jenkins Security Advisory 2021-06-16
Jenkins Security Advisory 2021-06-16
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Scriptler
Plugin
Scriptler
Plugin
Descriptions
Stored XSS vulnerability in Scriptler Plugin
SECURITY-2224
/
CVE-2021-21667
Severity (CVSS):
High
Affected plugin:
scriptler
GHSA
Stored XSS vulnerability in Jenkins Scriptler Plugin
ghsa·2022-01-06
CVE-2021-21668 [MEDIUM] CWE-79 Stored XSS vulnerability in Jenkins Scriptler Plugin
Stored XSS vulnerability in Jenkins Scriptler Plugin
Jenkins Scriptler Plugin 3.1 and earlier does not escape script content.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
Jenkins Scriptler Plugin 3.2 escapes script content.
OSV
Stored XSS vulnerability in Jenkins Scriptler Plugin
osv·2022-01-06
CVE-2021-21668 [MEDIUM] Stored XSS vulnerability in Jenkins Scriptler Plugin
Stored XSS vulnerability in Jenkins Scriptler Plugin
Jenkins Scriptler Plugin 3.1 and earlier does not escape script content.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
Jenkins Scriptler Plugin 3.2 escapes script content.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-06-16
Published