Main Vulnerability Database Vulnerabilities #VU51993

Input validation error in Jenkins and Jenkins LTS - CVE-2021-21639

Published: April 8, 2021

Vulnerability identifier: #VU51993

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-21639

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Jenkins
Jenkins LTS

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected software does not validate the type of object created after loading the data submitted to the "config.xml" REST API endpoint of a node. A remote authenticated attacker can replace a node with one of a different type.

Remediation

Install updates from vendor's website.

External links

http://www.openwall.com/lists/oss-security/2021/04/07/2
https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1721

Input validation error in Jenkins and Jenkins LTS - CVE-2021-21639

Description

Remediation

External links

Please verify you're human