Stored Cross-Site Scripting Vulnerability in Jenkins Scriptler Plugin
CVE-2021-21667

5.4MEDIUM

Key Information:

Vendor

Jenkins
Status
Jenkins Scriptler Plugin
Vendor
CVE Published:
16 June 2021

What is CVE-2021-21667?

The Jenkins Scriptler Plugin versions 3.2 and earlier contain a flaw that does not properly escape parameter names displayed in job configuration forms. This oversight can be exploited by attackers who possess Scriptler/Configure permissions, allowing them to inject malicious scripts. When executed, these scripts can affect any user accessing the vulnerable job configurations, leading to unauthorized actions or data exposure.

Affected Version(s)

Jenkins Scriptler Plugin <= 3.2

References

https://www.jenkins.io/security/advisory/2021-06-16/#SECU...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2021/06/16/3
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.