CVE-2021-21640

Published on: 04/07/2021 12:00:00 AM UTC

Last Modified on: 04/13/2021 06:00:00 PM UTC

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Certain versions of Jenkins from Jenkins contain the following vulnerability:

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.

  • CVE-2021-21640 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.
  • Affected Vendor/Software: Jenkins project - Jenkins version <= 2.286
  • Affected Vendor/Software: Jenkins project - Jenkins version <= LTS 2.277.1

CVSS3 Score: 4.3 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE LOW NONE

CVSS2 Score: 4 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW SINGLE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
Jenkins Security Advisory 2021-04-07 www.jenkins.io
text/html
URL Logo CONFIRM www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1871
oss-security - Multiple vulnerabilities in Jenkins and Jenkins plugins www.openwall.com
text/html
URL Logo MLIST [oss-security] 20210407 Multiple vulnerabilities in Jenkins and Jenkins plugins

Related QID Numbers

  • 730045 Jenkins Multiple Security Vulnerabilities(Jenkins Security Advisory 2021-04-07)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationJenkinsJenkinsAllAllAllAll
ApplicationJenkinsJenkinsAllAllAllAll
  • cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*:
  • cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-21640 : Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created vi… twitter.com/i/web/status/1… 2021-04-07 13:52:05
Twitter Icon @LinInfoSec Jenkins - CVE-2021-21640: openwall.com/lists/oss-secu… 2021-04-07 22:28:55