CVE-2021-21610
jenkins: Reflected XSS vulnerability in markup formatter preview
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.
Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no implementan ninguna restricción para la URL que presenta una vista previa formateada del marcado pasado como un parámetro de consulta, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) reflejada si el formateador de marcado configurado no prohíbe elementos no seguros (JavaScript) en el marcado.
A flaw was found in jenkins. A cross-site scripting (XSS) vulnerability is possible due to the lack of restrictions in URL rendering in the formatted previews of markup passed as a query parameter if the configured markup formatter does not prohibit unsafe elements in the markup. The highest threat from this vulnerability is to data confidentiality and integrity.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-04 CVE Reserved
- 2021-01-13 CVE Published
- 2023-09-29 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2153 | 2023-11-02 | |
https://access.redhat.com/security/cve/CVE-2021-21610 | 2021-03-03 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1925151 | 2021-03-03 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.263.1 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.263.1" | lts |
Affected
| ||||||
Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.274 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.274" | - |
Affected
|