CVE-2021-21675

MEDIUM6.5EPSS 0.33%

CSRF vulnerabilities in Jenkins requests-plugin Plugin

Published: 5/24/2022Modified: 2/16/2024

Description

Jenkins requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleting builds, etc. Jenkins requests-plugin Plugin 2.2.13 requires POST requests for the affected HTTP endpoints. This was partially fixed in requests-plugin Plugin 2.2.8 to require POST requests for some of the affected HTTP endpoints, but the endpoint allowing administrators to apply pending requests remained unprotected until 2.2.13.

Affected packages (1)

Maven/org.jenkins-ci.plugins:requestsfrom 0, < 2.2.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21675
PATCHhttps://github.com/jenkinsci/requests-plugin
WEBhttps://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2136%20(1)
WEBhttp://www.openwall.com/lists/oss-security/2021/06/30/1