6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21610

GHSA ID

GHSA-7qf3-c2q8-69m3

EPSS Score

0.53648%

CWE

CWE-79

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21610

CVE-2021-21610: Reflected XSS vulnerability in Jenkins markup formatter preview

Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like Anything Goes Formatter Plugin.

Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.

In case of problems with this change, these protections can be disabled by setting the Java system properties hudson.markup.MarkupFormatter.previewsAllowGET to true and/or hudson.markup.MarkupFormatter.previewsSetCSP to false. Doing either is discouraged.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21610

GHSA ID

GHSA-7qf3-c2q8-69m3

EPSS Score

0.53648%

CWE

CWE-79

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	<= 2.263.1	2.263.2
org.jenkins-ci.main:jenkins-core	maven	>= 2.264, <= 2.274	2.275

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the preview endpoint accepting GET requests and lacking security headers. The commit shows the patched version adds @POST annotation to doPreviewDescription and introduces CSP headers, while adding a separate GET handler that blocks unsafe access. In vulnerable versions, the original doPreviewDescription method was accessible via GET requests without security headers, making it the entry point for XSS payloads when combined with unsafe markup formatters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *llows **ministr*tors to **oos* t** m*rkup *orm*tt*r to us* *or **s*riptions o* jo*s, *uil*s, vi*ws, *t*. *ispl*y** in J*nkins. W**n **itin* su** * **s*ription, us*rs **n **oos* to **v* J*nkins r*n**r * *orm*tt** pr*vi*w o* t** **s*ription t*

Reasoning

T** vuln*r**ility st*ms *rom t** pr*vi*w *n*point ****ptin* **T r*qu*sts *n* l**kin* s**urity *****rs. T** *ommit s*ows t** p*t**** v*rsion ***s @POST *nnot*tion to *oPr*vi*w**s*ription *n* intro*u**s *SP *****rs, w*il* ***in* * s*p*r*t* **T **n*l*r

6.1

Basic Information

Concerned about an active attack path?

CVE-2021-21610: Reflected XSS vulnerability in Jenkins markup formatter preview

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI