Description

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.

Remediation

References

CVE-2021-21639

Related Vulnerabilities

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-12647)

WordPress Plugin Recip.ly 'uploadImage.php' Arbitrary File Upload (1.1.7)

Oracle Database Server CVE-2010-0867 Vulnerability (CVE-2010-0867)

WordPress Plugin Age Verification 'redirect_to' Parameter URI Redirection (0.4)

PleskWin Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4878)

Severity

Medium

Classification

CVE-2021-21639 CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities