CVE-2021-21604

Aliases:GHSA-qv6f-rcv6-6q3xBIT-jenkins-2021-21604

Advisory lineage Upstream: 0 Downstream: 3

Downstream

RHSA-2021:0423 RHSA-2021:0429 RHSA-2021:0637

Modified

Published: 13 Jan 2021, 15:55

Last modified:03 Aug 2024, 18:16

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

8 HIGH

v3.1 (nvd)

EPSS Score

0.76% LOW

1% probability -0.07%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

13 Jan 2021, 15:55

Published

Vulnerability first disclosed

03 Aug 2024, 18:16

Last Modified

Vulnerability information updated

Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

CVSS Metrics

v3.1•HIGH•Score: 8CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 6AV:N/AC:M/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.76%• Percentile: 74%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

jenkins project•jenkins
≥ unspecified, ≤ 2.274 | ≥ unspecified, ≤ LTS 2.263.1
Unknown•Jenkins
≤ 2.263.1 | ≤ 2.274
org.jenkins-ci.main•jenkins-core
< 2.263.2 | ≥ 2.264, < 2.275