CVE-2021-21684

Name of the Vulnerable Software and Affected Versions Jenkins Git Plugin versions 4.8.2 and earlier

Description The issue arises from the failure to escape Git SHA-1 checksum parameters provided to commit notifications when displayed in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability. This vulnerability is exploitable by attackers able to submit crafted commit notifications to the "/git/notifyCommit" endpoint. The vulnerability is only exploitable in certain versions of Jenkins, specifically 2.314 and earlier, and LTS 2.303.1 and earlier.

Recommendations For Jenkins Git Plugin versions 4.8.2 and earlier, update to version 4.8.3 or later, which rejects Git SHA-1 checksum parameters that do not match the expected format and sanitizes existing values when displayed on the UI. As a temporary workaround, consider restricting access to the "/git/notifyCommit" endpoint until the issue is resolved.