CVE-2021-21676

CWE-862Missing Authorization6 documents5 sources
Severity
4.3MEDIUM
EPSS
0.0%
top 91.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Requests-plugin PluginJenkins Requests
Timeline
PublishedJun 30
Latest updateFeb 13

Description

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

CVEListV5jenkins_project/jenkins_requests-plugin_pluginunspecified2.2.7
NVDjenkins/requests2.2.7

🔴Vulnerability Details

4
OSV
fig2dev vulnerabilities2023-02-13
OSV
Missing permission check in Jenkins requests-plugin Plugin allows sending emails2022-05-24
GHSA
Missing permission check in Jenkins requests-plugin Plugin allows sending emails2022-05-24
CVEList
CVE-2021-21676: Jenkins requests-plugin Plugin 22021-06-30

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2021-06-302021-06-30
CVE-2021-21676 (MEDIUM CVSS 4.3) | Jenkins requests-plugin Plugin 2.2. | cvebase.io