CVE-2021-21666

Name of the Vulnerable Software and Affected Versions Jenkins Kiuwan Plugin versions 1.6.0 and earlier

Description The issue is related to a reflected cross-site scripting (XSS) vulnerability. It occurs because the Jenkins Kiuwan Plugin does not escape query parameters in an error message for a form validation endpoint. This allows an attacker to inject malicious scripts into the error message, potentially leading to the execution of unauthorized code on the user's browser. Only older releases of Jenkins are affected by this vulnerability, with Jenkins 2.275 and newer, and LTS 2.263.2 and newer including a protection that prevents this vulnerability from being exploitable.

Recommendations For Jenkins Kiuwan Plugin versions 1.6.0 and earlier, update to version 1.6.1 or newer, which escapes affected parts of the error message in the form validation endpoint. As a temporary workaround, consider restricting access to the form validation endpoint until the issue is resolved.