CVE-2021-21639

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.286 and earlier Jenkins LTS versions 2.277.1 and earlier

Description The issue arises from the lack of validation of the type of object created after loading data submitted to the "config.xml" REST API endpoint of a node. This allows attackers with Computer/Configure permission to replace a node with one of a different type.

Recommendations For Jenkins versions 2.286 and earlier, update to version 2.287 or later to resolve the issue. For Jenkins LTS versions 2.277.1 and earlier, update to version 2.277.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the config.xml REST API endpoint to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BIT-JENKINS-2021-21639

CVE-2021-21639

GHSA-PVWX-3JX5-24R2

RHSA-2021:1551

RHSA-2021:2437

Affected Products

Jenkins

CVE-2021-21639

Weakness Enumeration

Related Identifiers

Affected Products

References · 9