CVE-2021-21679Cross-Site Request Forgery in Project Jenkins Azure AD Plugin

CWE-352Cross-Site Request ForgeryCWE-693Protection Mechanism Failure5 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 82.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Azure AD PluginJenkins Azure AD
Timeline
PublishedAug 31
Latest updateMay 24

Description

Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_azure_ad_plugin164.v5b48baa961d2unspecified+1
NVDjenkins/azure_ad164.v5b48baa961d2179.vf6841393099e

🔴Vulnerability Details

3
OSV
Jenkins Azure AD Plugin allows bypassing CSRF protection for any URL2022-05-24
GHSA
Jenkins Azure AD Plugin allows bypassing CSRF protection for any URL2022-05-24
CVEList
CVE-2021-21679: Jenkins Azure AD Plugin 1792021-08-31

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2021-08-312021-08-31
CVE-2021-21679 — Cross-Site Request Forgery | cvebase