Main Vulnerability Database Vulnerabilities #VU51993

Input validation error in Jenkins and Jenkins LTS - CVE-2021-21639

Published: April 8, 2021

Vulnerability identifier: #VU51993

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-21639

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Jenkins
Jenkins LTS

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected software does not validate the type of object created after loading the data submitted to the "config.xml" REST API endpoint of a node. A remote authenticated attacker can replace a node with one of a different type.

How to mitigate CVE-2021-21639

Install updates from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2021/04/07/2
https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1721

Input validation error in Jenkins and Jenkins LTS - CVE-2021-21639

Detailed vulnerability description

How to mitigate CVE-2021-21639

Sources

Please verify you're human