CVE-2021-21677
HIGH8.8EPSS 1.2%RCE vulnerability in Jenkins Code Coverage API Plugin
Published: 5/24/2022Modified: 2/16/2024
Also known as:GHSA-58pr-hprx-7hg6
Description
Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply [JEP-200 deserialization protection](https://github.com/jenkinsci/jep/tree/master/jep/200) to Java objects it deserializes from disk. This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes. Jenkins Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.
Affected packages (1)
- Maven/io.jenkins.plugins:code-coverage-apifrom 0, < 1.4.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21677
- PATCHhttps://github.com/jenkinsci/code-coverage-api-plugin
- WEBhttps://github.com/jenkinsci/code-coverage-api-plugin/commit/a5b3c18cff2a0b494c55fa73b05fc935b50530be
- WEBhttps://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2376
- WEBhttp://www.openwall.com/lists/oss-security/2021/08/31/1