CVE-2021-21613 — XSS vulnerability in Jenkins TICS Plugin

Description

Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses. This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content. Jenkins TICS Plugin 2020.3.0.7 escapes TICS service responses, or strips HTML out, as appropriate.

How to fix CVE-2021-21613

To remediate CVE-2021-21613, upgrade the affected package to a fixed version below.

—upgrade to 2020.3.0.7 or later

Is CVE-2021-21613 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2020.3.0.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21613
PATCHgithub.com/jenkinsci/tics-plugin
WEBgithub.com/jenkinsci/tics-plugin/commit/a64493ccf81a241c5e51736721c4fe9a3e56622b
WEBwww.jenkins.io/security/advisory/2021-01-13/#SECURITY-2098