CVE-2021-21675

Description

Jenkins requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleting builds, etc. Jenkins requests-plugin Plugin 2.2.13 requires POST requests for the affected HTTP endpoints. This was partially fixed in requests-plugin Plugin 2.2.8 to require POST requests for some of the affected HTTP endpoints, but the endpoint allowing administrators to apply pending requests remained unprotected until 2.2.13.

How to fix CVE-2021-21675

To remediate CVE-2021-21675, upgrade the affected package to a fixed version below.

• —upgrade to 2.2.13 or later

Is CVE-2021-21675 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.2.13

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21675
• PATCHgithub.com/jenkinsci/requests-plugin
• WEBwww.jenkins.io/security/advisory/2021-06-30/#SECURITY-2136%20(1)
• WEBwww.openwall.com/lists/oss-security/2021/06/30/1