Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1xdjZmLXJjdjYtNnEzeM4AAnOP

Improper handling of REST API XML deserialization errors in Jenkins

Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.

This allows attackers with View/Create, Job/Create, Agent/Create, or their respective */Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.\n\nJenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore.

In case of problems, the Java system properties hudson.util.RobustReflectionConverter.recordFailuresForAdmins and hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications can be set to true to record configuration data submissions from administrators or all users, partially or completely disabling this fix.

Permalink: https://github.com/advisories/GHSA-qv6f-rcv6-6q3x
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xdjZmLXJjdjYtNnEzeM4AAnOP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 11 months ago

CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Identifiers: GHSA-qv6f-rcv6-6q3x, CVE-2021-21604
References:

• https://nvd.nist.gov/vuln/detail/CVE-2021-21604
• https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923
• https://github.com/jenkinsci/jenkins/commit/f1056bd814fc1f19ea241a101d649b8c143807e7
• https://github.com/advisories/GHSA-qv6f-rcv6-6q3x

Repository: https://github.com/jenkinsci/jenkins
Blast Radius: 1.0

Affected Packages