CVE-2021-21700 — Stored XSS vulnerability in Jenkins Scriptler Plugin

Description

Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts. Jenkins Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.

How to fix CVE-2021-21700

To remediate CVE-2021-21700, upgrade the affected package to a fixed version below.

—upgrade to 3.4 or later

Is CVE-2021-21700 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21700
PATCHgithub.com/jenkinsci/scriptler-plugin
WEBgithub.com/jenkinsci/scriptler-plugin/commit/7e4fa9b51f37714decca30a35dd81e41f72aec93
WEBwww.jenkins.io/security/advisory/2021-11-12/#SECURITY-2406