Multiple vulnerabilities in Jenkins and Jenkins LTS
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-21639 CVE-2021-21640 |
| CWE-ID | CWE-20 CWE-287 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Jenkins Server applications / Application servers Jenkins LTS Server applications / Application servers |
| Vendor | Jenkins |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU51993
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-21639
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected software does not validate the type of object created after loading the data submitted to the "config.xml" REST API endpoint of a node. A remote authenticated attacker can replace a node with one of a different type.
MitigationInstall updates from vendor's website.
Vulnerable software versionsJenkins: 2.0 - 2.286
Jenkins LTS: 1.409.1 - 2.277.1
CPE2.3- cpe:2.3:a:jenkins:jenkins:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins_lts:1.409.1:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins_lts:1.409.2:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins_lts:1.409.3:*:*:*:*:*:*:*
https://www.openwall.com/lists/oss-security/2021/04/07/2
https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Authentication
EUVDB-ID: #VU51994
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-21640
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the affected software does not properly check that a newly created view has an allowed name. A remote authenticated attacker can create views with invalid or already-used names.
MitigationInstall updates from vendor's website.
Vulnerable software versionsJenkins: 2.0 - 2.286
Jenkins LTS: 1.409.1 - 2.277.1
CPE2.3- cpe:2.3:a:jenkins:jenkins:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins_lts:1.409.1:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins_lts:1.409.2:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins_lts:1.409.3:*:*:*:*:*:*:*
https://www.openwall.com/lists/oss-security/2021/04/07/2
https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-1871
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
