CVE-2021-21639 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.277.2 || >=2.278 <2.287

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00635 pctl0.69504

Details

Lack of type validation in agent related REST API in Jenkins Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node. This allows attackers with Computer/Configure permission to replace a node with one of a different type. Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects objects of unexpected types.

Metadata

Created: 2022-05-24T17:46:47Z
Modified: 2023-10-27T14:08:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pvwx-3jx5-24r2/GHSA-pvwx-3jx5-24r2.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-pvwx-3jx5-24r2
Finding: F184
Auto approve: 1