{"api_version":"1","generated_at":"2026-04-22T23:22:15+00:00","cve":"CVE-2021-21604","urls":{"html":"https://cve.report/CVE-2021-21604","api":"https://cve.report/api/cve/CVE-2021-21604.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-21604","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-21604"},"summary":{"title":"CVE-2021-21604","description":"Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.","state":"PUBLIC","assigner":"jenkinsci-cert@googlegroups.com","published_at":"2021-01-13 16:15:00","updated_at":"2023-10-25 18:16:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923","name":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Jenkins Security Advisory 2021-01-13","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-21604","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21604","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"21604","vulnerable":"1","versionEndIncluding":"2.263.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jenkins","cpe5":"jenkins","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21604","vulnerable":"1","versionEndIncluding":"2.274","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jenkins","cpe5":"jenkins","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-21604","qid":"501021","title":"Alpine Linux Security Update for jenkins"},{"cve":"CVE-2021-21604","qid":"501586","title":"Alpine Linux Security Update for jenkins"},{"cve":"CVE-2021-21604","qid":"770050","title":"Red Hat OpenShift Container Platform Security and Packages Update 4.6.17 (RHSA-2021:0423)"},{"cve":"CVE-2021-21604","qid":"770051","title":"Red Hat OpenShift Container Platform 4.5.33 Packages and Security Update (RHSA-2021:0429)"},{"cve":"CVE-2021-21604","qid":"770099","title":"Red Hat OpenShift Container Platform 4.5 Security Update (RHSA-2021-0429)"},{"cve":"CVE-2021-21604","qid":"770122","title":"Red Hat OpenShift Container Platform 4.6 Security Update (RHSA-2021-0423)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2021-21604","ASSIGNER":"jenkinsci-cert@googlegroups.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Jenkins project","product":{"product_data":[{"product_name":"Jenkins","version":{"version_data":[{"version_affected":"<=","version_name":"unspecified","version_value":"2.274"}]}}]}}]}},"references":{"reference_data":[{"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923","refsource":"MISC","name":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923"}]}},"nvd":{"publishedDate":"2021-01-13 16:15:00","lastModifiedDate":"2023-10-25 18:16:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8,"baseSeverity":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6},"severity":"MEDIUM","exploitabilityScore":6.8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*","versionEndIncluding":"2.274","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*","versionEndIncluding":"2.263.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"21604","Ordinal":"196292","Title":"CVE-2021-21604","CVE":"CVE-2021-21604","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"21604","Ordinal":"1","NoteData":"Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"21604","Ordinal":"2","NoteData":"2021-01-13","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"21604","Ordinal":"3","NoteData":"2021-01-13","Type":"Other","Title":"Modified"}]}}}