-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Jenkins Security Advisory 2021-04-21
22 April 2021
AusCERT Security Bulletin Summary
Product: Jenkins plugins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Request Forgery -- Remote/Unauthenticated
Create Arbitrary Files -- Existing Account
Delete Arbitrary Files -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Existing Account
CVE Names: CVE-2021-21647 CVE-2021-21646 CVE-2021-21645
CVE-2021-21644 CVE-2021-21643 CVE-2021-21642
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2021-04-21
This advisory announces vulnerabilities in the following Jenkins deliverables:
o CloudBees CD Plugin
o Config File Provider Plugin
o Templating Engine Plugin
XXE vulnerability in Config File Provider Plugin
SECURITY-2204 / CVE-2021-21642
Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser
to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to define Maven configuration files to
have Jenkins parse a crafted configuration file that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
Config File Provider Plugin 3.7.1 disables external entity resolution for its
Incorrect permission checks in Config File Provider Plugin allow enumerating
SECURITY-2254 / CVE-2021-21643
Config File Provider Plugin 3.7.0 and earlier does not correctly perform
permission checks in several HTTP endpoints.
This allows attackers with global Job/Configure permission to enumerate
system-scoped credentials IDs of credentials stored in Jenkins. Those can be
used as part of an attack to capture the credentials using another
An enumeration of system-scoped credentials IDs in Config File Provider Plugin
3.7.1 requires Overall/Administer permission.
CSRF vulnerability in Config File Provider Plugin allows deleting configuration
SECURITY-2202 / CVE-2021-21644
Config File Provider Plugin 3.7.0 and earlier does not require POST requests
for an HTTP endpoint, resulting in a cross-site request forgery (CSRF)
This vulnerability allows attackers to delete configuration files corresponding
to an attacker-specified ID.
This is due to an incomplete fix of SECURITY-938.
Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP
Missing permission checks in Config File Provider Plugin allow enumerating
configuration file IDs
SECURITY-2203 / CVE-2021-21645
Config File Provider Plugin 3.7.0 and earlier does not perform permission
checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration
An enumeration of configuration file IDs in Config File Provider Plugin 3.7.1
requires the appropriate permissions.
Remote code execution vulnerability in Templating Engine Plugin
SECURITY-2311 / CVE-2021-21646
Templating Engine Plugin 2.1 and earlier does not protect its pipeline
configurations using Script Security Plugin.
This vulnerability allows attackers with Job/Configure permission to execute
arbitrary code in the context of the Jenkins controller JVM.
Templating Engine Plugin 2.2 integrates with Script Security Plugin to protect
its pipeline configurations.
Missing permission check in CloudBees CD Plugin allows scheduling builds
SECURITY-2309 / CVE-2021-21647
CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in
an HTTP endpoint.
This allows attackers with Item/Read permission to schedule builds of projects
without having Item/Build permission.
CloudBees CD Plugin 1.1.22 requires Item/Build permission to schedule builds
via its HTTP endpoint.
o SECURITY-2202: Medium
o SECURITY-2203: Medium
o SECURITY-2204: High
o SECURITY-2254: Medium
o SECURITY-2309: Medium
o SECURITY-2311: High
o CloudBees CD Plugin up to and including 1.1.21
o Config File Provider Plugin up to and including 3.7.0
o Templating Engine Plugin up to and including 2.1
o CloudBees CD Plugin should be updated to version 1.1.22
o Config File Provider Plugin should be updated to version 3.7.1
o Templating Engine Plugin should be updated to version 2.2
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Daniel Beck, CloudBees, Inc. for SECURITY-2254, SECURITY-2311
o Devin Nusbaum, CloudBees, Inc. for SECURITY-2309
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----