CVE-2021-21619

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Claim Plugin
Vendor: CVE Published:; 24 February 2021

Summary

Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.

Affected Version(s)

Jenkins Claim Plugin <= 2.18.1

References

https://www.jenkins.io/security/advisory/2021-02-24/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2021/02/24/3

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 24, 2021
Vulnerability Reserved
Jan 4, 2021