Miggo Logo

CVE-2021-21628: Stored XSS vulnerability in Jenkins Build With Parameters Plugin

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.78495%
Published
5/24/2022
Updated
12/19/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:build-with-parametersmaven<= 1.51.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped parameter names/descriptions in the plugin's UI rendering. The commit diff shows the fix adds 'escapeEntryTitleAndDescription' variable to enable escaping in Jelly templates. In vulnerable versions, the <f:entry> elements would render title=${parameter.name} and description=${parameter.description} without HTML escaping, enabling XSS payload injection. The Jelly template rendering mechanism is the vulnerable function in this context, as template processing is responsible for proper output encoding.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *uil* Wit* P*r*m*t*rs Plu*in *.* *n* **rli*r *o*s not *s**p* p*r*m*t*r n*m*s *n* **s*riptions. T*is r*sults in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs wit* Jo*/*on*i*ur* p*rmission. J*nkins *uil* Wit* P*r*

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** p*r*m*t*r n*m*s/**s*riptions in t** plu*in's UI r*n**rin*. T** *ommit *i** s*ows t** *ix ***s '*s**p**ntryTitl**n***s*ription' v*ri**l* to *n**l* *s**pin* in J*lly t*mpl*t*s. In vuln*r**l* v*rsions, t** <*:*ntry