Miggo Logo
Miggo Vulnerability Database
CVE-2021-21620

CVE-2021-21620: Cross-Site Request Forgery in the Jenkins Claim plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-21620
GHSA ID
GHSA-4ffq-6g62-j4v4
EPSS Score
0.53512%
CWE
CWE-352
Published
6/16/2021
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:claimmaven< 2.18.22.18.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from an HTTP endpoint handling claim assignments not requiring POST requests. Jenkins plugins typically implement form handlers via Stapler actions, where state-changing operations should use POST with CSRF protection. The advisory explicitly states the fix required POST enforcement, indicating the original handler lacked this protection. The most logical candidate is the claim assignment handler method in the core claim processing class, which would have been modified to add @RequirePOST annotation or similar protection in the patched version.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *l*im Plu*in *.**.* *n* **rli*r *o*s not r*quir* POST r*qu*sts *or t** *orm su*mission *n*point *ssi*nin* *l*ims, r*sultin* in * *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility. T*is vuln*r**ility *llows *tt**k*rs to ***n** *l*ims. J*nkins

Reasoning

T** vuln*r**ility st*ms *rom *n *TTP *n*point **n*lin* *l*im *ssi*nm*nts not r*quirin* POST r*qu*sts. J*nkins plu*ins typi**lly impl*m*nt *orm **n*l*rs vi* St*pl*r **tions, w**r* st*t*-***n*in* op*r*tions s*oul* us* POST wit* *SR* prot**tion. T** **v