CVE-2021-21644
Aliases:GHSA-998m-f2x3-jjq4
Advisory lineage Upstream: 0 Downstream: 4
Modified
Published: 21 Apr 2021, 14:20
Last modified:03 Aug 2024, 18:16
Vulnerability Summary
Overall Risk (default)
low
23/100 CVSS Score
5.8 MEDIUM
v2.0 (nvd)
EPSS Score
0.13% LOW
0% probability -0.08%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
21 Apr 2021, 14:20
Published
Vulnerability first disclosed
03 Aug 2024, 18:16
Last Modified
Vulnerability information updated
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
- v2.0•MEDIUM•Score: 5.8AV:N/AC:M/Au:N/C:N/I:P/A:P
EPSS Trends
Current EPSS score: 0.13%• Percentile: 31%
Techniques & Countermeasures
- CWE-352•Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Affected Systems
- jenkins project•jenkins config file provider plugin
≥ unspecified, ≤ 3.7.0
- jenkins•config_file_provider
≤ 3.7.0
- org.jenkins-ci.plugins•config-file-provider
< 3.7.1
References (5)
- https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2202
- http://www.openwall.com/lists/oss-security/2021/04/21/2
- https://nvd.nist.gov/vuln/detail/CVE-2021-21644
- https://github.com/jenkinsci/config-file-provider-plugin/commit/9ffc32379477c4395ab17ff19b04b9f1286ceedb
- https://github.com/jenkinsci/config-file-provider-plugin