PT-2021-14689 · Jenkins · Jenkins Templating Engine Plugin+2
Daniel Beck
·
Published
2021-04-21
·
Updated
2023-10-25
·
CVE-2021-21646
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Templating Engine Plugin versions 2.1 and earlier
Description
The issue allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. This is due to the lack of protection for pipeline configurations using the Script Security Plugin.
Recommendations
For Jenkins Templating Engine Plugin versions 2.1 and earlier, update to version 2.2, which integrates with the Script Security Plugin to protect pipeline configurations.
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Templating Engine Plugin
Script Security Plugin