PT-2021-14720 · Jenkins · Jenkins Code Coverage Api Plugin+1
Published
2021-08-31
·
Updated
2023-11-22
·
CVE-2021-21677
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Code Coverage API Plugin versions 1.4.0 and earlier
Description
The issue results from the Jenkins Code Coverage API Plugin not applying Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk. This leads to a remote code execution vulnerability that can be exploited by attackers who can control agent processes.
Recommendations
For Jenkins Code Coverage API Plugin versions 1.4.0 and earlier, update to version 1.4.1 or later, which configures its Java object deserialization to only deserialize safe types.
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Code Coverage Api Plugin