// For flags

CVE-2021-21604

jenkins: Improper handling of REST API XML deserialization errors

Severity Score

8.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, permite a atacantes con permiso para crear o configurar varios objetos para inyectar contenido diseñado en Old Data Monitor que resulta en la instanciación de objetos potencialmente no seguros una vez que son descartados por un administrador.

A flaw was found in jenkins. An attacker with permission to create or configure various objects to inject crafted content into Old Data Monitor can cause the instantiation of potentially unsafe objects once discarded by an administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-04 CVE Reserved
  • 2021-01-13 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Jenkins
Search vendor "Jenkins"
Jenkins
Search vendor "Jenkins" for product "Jenkins"
<= 2.263.1
Search vendor "Jenkins" for product "Jenkins" and version " <= 2.263.1"
lts
Affected
Jenkins
Search vendor "Jenkins"
Jenkins
Search vendor "Jenkins" for product "Jenkins"
<= 2.274
Search vendor "Jenkins" for product "Jenkins" and version " <= 2.274"
-
Affected