CVE-2021-21646 — Remote code execution vulnerability in Jenkins Templating Engine Plugin

Description

Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin. This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. Jenkins Templating Engine Plugin 2.2 integrates with Script Security Plugin to protect its pipeline configurations.

How to fix CVE-2021-21646

To remediate CVE-2021-21646, upgrade the affected package to a fixed version below.

—upgrade to 2.2 or later

Is CVE-2021-21646 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21646
PATCHgithub.com/jenkinsci/templating-engine-plugin
WEBgithub.com/jenkinsci/templating-engine-plugin/commit/aed14bed7333329f51330d0a8111e4d94cdee3e6
WEBwww.jenkins.io/security/advisory/2021-04-21/#SECURITY-2311