CVE-2021-21604

HIGH8.0EPSS 0.76%

Improper handling of REST API XML deserialization errors in Jenkins

Published: 5/24/2022Modified: 4/3/2025

Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

Affected packages (2)

Bitnami/jenkinsfrom 0, < 2.274.1
Maven/org.jenkins-ci.main:jenkins-corefrom 0, < 2.263.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21604
PATCHhttps://github.com/jenkinsci/jenkins
WEBhttps://github.com/jenkinsci/jenkins/commit/f1056bd814fc1f19ea241a101d649b8c143807e7
WEBhttps://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923