CVE-2021-21678

Name of the Vulnerable Software and Affected Versions Jenkins SAML Plugin versions 1.1.3 through 2.0.7

Description The issue allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. This is due to an overly permissive implementation of an extension point in the Jenkins SAML Plugin, which is meant to selectively disable cross-site request forgery protection for specific URLs. The vulnerability was originally introduced in Jenkins SAML Plugin 1.1.3.

Recommendations For Jenkins SAML Plugin versions 1.1.3 through 2.0.7, update to version 2.0.8, which restricts the URLs for which CSRF protection is disabled, mitigating the issue. As a temporary workaround, consider restricting access to sensitive URLs in Jenkins to minimize the risk of exploitation.