CVE-2021-21679

Name of the Vulnerable Software and Affected Versions Jenkins Azure AD Plugin versions 164.v5b48baa961d2 through 179.vf6841393099e

Description The issue allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. This is due to an overly permissive implementation of an extension point in the Jenkins Azure AD Plugin, which is intended to selectively disable cross-site request forgery protection for specific URLs. The vulnerability was originally introduced in Azure AD Plugin 164.v5b48baa961d2.

Recommendations For Jenkins Azure AD Plugin versions 164.v5b48baa961d2 through 179.vf6841393099e, update to version 180.v8b1e80e6f242 or later, which no longer allows bypassing CSRF protection for URLs used by the JavaScript component. As a temporary workaround, consider reconfiguring the JavaScript component to pass the expected CSRF token until a patch is available.