CVE-2021-21646 – org.jenkins-ci.plugins:templating-engine

Package

Manager: maven
Name: org.jenkins-ci.plugins:templating-engine
Vulnerable Version: >=0 <2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00387 pctl0.59063

Details

Remote code execution vulnerability in Jenkins Templating Engine Plugin Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin. This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. Jenkins Templating Engine Plugin 2.2 integrates with Script Security Plugin to protect its pipeline configurations.

Metadata

Created: 2022-05-24T17:48:06Z
Modified: 2023-10-27T14:24:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p6qc-37hq-wqr6/GHSA-p6qc-37hq-wqr6.json
CWE IDs: ["CWE-693"]
Alternative ID: GHSA-p6qc-37hq-wqr6
Finding: F115
Auto approve: 1