CVE-2021-21610

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.274 and earlier, LTS versions 2.263.1 and earlier

Description The issue arises from the lack of restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup. This can occur when users choose to have Jenkins render a formatted preview of the description they entered. The vulnerability is mitigated in Jenkins 2.275 and LTS 2.263.2, which require that preview URLs are accessed using POST and set Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.

Recommendations For Jenkins versions 2.274 and earlier, LTS versions 2.263.1 and earlier, update to Jenkins 2.275 or LTS 2.263.2 to resolve the issue. As a temporary workaround, consider setting the Java system properties hudson.markup.MarkupFormatter.previewsAllowGET to false and hudson.markup.MarkupFormatter.previewsSetCSP to true to enable protections, although doing so is discouraged. Restrict access to the markup formatter to minimize the risk of exploitation. Avoid using markup formatters that do not prohibit unsafe elements, such as the Anything Goes Formatter Plugin, until the issue is resolved.