CVE-2021-21684
jenkins-2-plugins/git: stored XSS vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.
El plugin Git de Jenkins versiones 4.8.2 y anteriores, no escapa a los parámetros de suma de comprobación Git SHA-1 proporcionados a las notificaciones de commit cuando se muestran en una causa de construcción, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado
A stored cross-site scripting (XSS) vulnerability was found in the Jenkins Git plugin. Due to not escaping the Git SHA-1 checksum parameters provided to commit notifications, an attacker is able to submit crafted commit notifications to the `/git/notifyCommit` endpoint.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-04 CVE Reserved
- 2021-10-06 CVE Published
- 2024-06-21 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-116: Improper Encoding or Escaping of Output
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2021/10/06/1 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499 | 2023-11-22 | |
| https://access.redhat.com/security/cve/CVE-2021-21684 | 2022-03-10 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2011949 | 2022-03-10 |