PT-2021-14654 · Jenkins · Jenkins

Jesse Glick

Published

2021-01-13

Updated

2024-03-06

CVE-2021-21611

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.274 and earlier, LTS versions 2.263.1 and earlier

Description The issue results in a stored cross-site scripting (XSS) vulnerability, which is exploitable by attackers able to specify display names or IDs of item types shown on the New Item page. This occurs because display names and IDs of item types are not properly escaped. As of the publication of this advisory, the Jenkins security team is not aware of any plugins published via the Jenkins project update center that allow doing this.

Recommendations For Jenkins versions 2.274 and earlier, update to version 2.275 or later. For LTS versions 2.263.1 and earlier, update to version 2.263.2 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BIT-JENKINS-2021-21611

CVE-2021-21611

GHSA-MJ7Q-CMF3-MG7H

RHSA-2021:0423

RHSA-2021:0429

RHSA-2021:0637

Affected Products

Jenkins

PT-2021-14654 · Jenkins · Jenkins

CVE-2021-21611

Weakness Enumeration

Related Identifiers

Affected Products

References · 10