Stored Cross-Site Scripting Vulnerability in Jenkins Active Choices Plugin
CVE-2021-21616

4.6MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Active Choices Plugin
Vendor: CVE Published:; 24 February 2021

What is CVE-2021-21616?

The Active Choices Plugin for Jenkins, versions 2.5.2 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper escaping of reference parameter values. This flaw can be exploited by authenticated attackers who possess Job/Configure permissions, allowing them to execute malicious scripts in the context of affected users' browsers. As a result, attackers could potentially compromise user sessions or manipulate the user experience within the Jenkins environment. It is crucial for users to upgrade to the latest version of the plugin to mitigate this risk.

Affected Version(s)

Jenkins Active Choices Plugin <= 2.5.2

References

https://www.jenkins.io/security/advisory/2021-02-24/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2021/02/24/3

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2021
Vulnerability Reserved
Jan 4, 2021