PT-2021-14662 · Jenkins · Jenkins Claim Plugin+1
Wadeck Follonier
·
Published
2021-02-24
·
Updated
2023-11-03
·
CVE-2021-21619
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Claim Plugin versions 2.18.1 and earlier
Description
The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the Jenkins Claim Plugin does not escape the user display name, allowing attackers who can control the display names of Jenkins users to exploit this vulnerability. This can be done either via the security realm or directly inside Jenkins. Everyone with a Jenkins account can change their own display name, potentially exploiting this issue.
Recommendations
For Jenkins Claim Plugin versions 2.18.1 and earlier, update to version 2.18.2 or later, which escapes the user display name shown in claims, thus resolving the stored cross-site scripting (XSS) vulnerability.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Claim Plugin