Miggo Logo

CVE-2021-21617: CSRF vulnerability in Jenkins Configuration Slicing Plugin

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.23099%
Published
5/24/2022
Updated
12/21/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:configurationslicingmaven<= 1.511.52

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability stemmed from missing HTTP method validation. The commit diff shows the critical fix was adding @RequirePOST to doSliceconfigSubmit. This method handles slice reconfiguration submissions, and without POST requirement, it was susceptible to CSRF. The test additions and permission changes support the fix but aren't the primary vulnerability source. The CWE-352 mapping and advisory explicitly mention the missing POST requirement as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *on*i*ur*tion Sli*in* Plu*in *.** *n* **rli*r *o*s not r*quir* POST r*qu*sts *or t** *orm su*mission *n*point r**on*i*urin* sli**s, r*sultin* in * *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility. T*is vuln*r**ility *llows *tt**k*rs to *pply

Reasoning

T** k*y vuln*r**ility st*mm** *rom missin* *TTP m*t*o* v*li**tion. T** *ommit *i** s*ows t** *riti**l *ix w*s ***in* @R*quir*POST to *oSli***on*i*Su*mit. T*is m*t*o* **n*l*s sli** r**on*i*ur*tion su*missions, *n* wit*out POST r*quir*m*nt, it w*s sus*