CVE-2021-21639

Published on: 04/07/2021 12:00:00 AM UTC

Last Modified on: 04/13/2021 06:16:00 PM UTC

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Certain versions of Jenkins from Jenkins contain the following vulnerability:

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.

  • CVE-2021-21639 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.
  • Affected Vendor/Software: Jenkins project - Jenkins version <= 2.286
  • Affected Vendor/Software: Jenkins project - Jenkins version <= LTS 2.277.1

CVSS3 Score: 4.3 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE LOW NONE

CVSS2 Score: 4 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW SINGLE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
oss-security - Multiple vulnerabilities in Jenkins and Jenkins plugins www.openwall.com
text/html
URL Logo MLIST [oss-security] 20210407 Multiple vulnerabilities in Jenkins and Jenkins plugins
Jenkins Security Advisory 2021-04-07 www.jenkins.io
text/html
URL Logo CONFIRM www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1721

Related QID Numbers

  • 730045 Jenkins Multiple Security Vulnerabilities(Jenkins Security Advisory 2021-04-07)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationJenkinsJenkinsAllAllAllAll
ApplicationJenkinsJenkinsAllAllAllAll
  • cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*:
  • cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-21639 : Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created af… twitter.com/i/web/status/1… 2021-04-07 13:51:35
Twitter Icon @LinInfoSec Jenkins - CVE-2021-21639: openwall.com/lists/oss-secu… 2021-04-07 22:28:56