CVE-2021-21604

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.274 and earlier, LTS versions 2.263.1 and earlier

Description The issue allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor, resulting in the instantiation of potentially unsafe objects once discarded by an administrator. This is possible because when deserialization fails due to invalid data, Jenkins stores invalid object references created through XML REST APIs in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted. Attackers with View/Create, Job/Create, Agent/Create, or their respective */Configure permissions can exploit this.

Recommendations For Jenkins versions 2.274 and earlier, update to version 2.275 or later. For LTS versions 2.263.1 and earlier, update to version 2.263.2 or later. As a temporary workaround, consider setting the Java system properties hudson.util.RobustReflectionConverter.recordFailuresForAdmins and hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications to true to record configuration data submissions from administrators or all users, partially or completely disabling this fix.