Miggo Logo
Miggo Vulnerability Database
CVE-2021-21608

CVE-2021-21608:
Stored XSS vulnerability in Jenkins button labels

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-21608
GHSA ID
GHSA-wv63-gwr9-5c55
EPSS Score
0.56428%
CWE
CWE-79
Published
5/24/2022
Updated
12/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven< 2.263.12.275
org.jenkins-ci.main:jenkins-coremaven>= 2.263.2, <= 2.2742.275

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unescaped button label rendering in multiple UI components. Key evidence comes from the patch:- 1) hetero-list.js added title.escapeHTML() for menu options, 2) add-item.js switched to safe text node creation for labels, and 3) hudson-behavior.js added escaping for button labels. These components handled user-controlled labels without proper escaping in their original implementations, making them entry points for XSS payloads in button labels.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r *o*s not *s**p* *utton l***ls in t** J*nkins UI. T*is r*sults in * *ross-sit* s*riptin* vuln*r**ility *xploit**l* *y *tt**k*rs wit* t** **ility to *ontrol *utton l***ls. *n *x*mpl* o* *uttons wit* *

Reasoning

T** vuln*r**ility st*mm** *rom un*s**p** *utton l***l r*n**rin* in multipl* UI *ompon*nts. K*y *vi**n** *om*s *rom t** p*t**:- *) **t*ro-list.js ***** titl*.*s**p**TML() *or m*nu options, *) ***-it*m.js swit**** to s*** t*xt no** *r**tion *or l***ls,