Miggo Logo
Miggo Vulnerability Database
CVE-2021-21629

CVE-2021-21629: CSRF vulnerability in Jenkins Build With Parameters Plugin

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-21629
GHSA ID
GHSA-w24g-24qg-v4w2
EPSS Score
0.23143%
CWE
CWE-352
Published
5/24/2022
Updated
12/19/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:build-with-parametersmaven<= 1.51.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerable function was modified by adding @RequirePOST annotation to enforce POST requests. Prior to this fix, the endpoint accepted non-POST requests, enabling CSRF attacks. The method's role in handling build parameter submissions makes it the clear attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *uil* Wit* P*r*m*t*rs Plu*in *.* *n* **rli*r *o*s not r*quir* POST r*qu*sts *or its *orm su*mission *n*point, r*sultin* in * *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility. T*is vuln*r**ility *llows *tt**k*rs to *uil* * proj**t wit* *tt**k*

Reasoning

T** *ommit *i** s*ows t** vuln*r**l* `*un*tion` w*s mo*i*i** *y ***in* @R*quir*POST *nnot*tion to *n*or** POST r*qu*sts. Prior to t*is *ix, t** *n*point ****pt** non-POST r*qu*sts, *n**lin* *SR* *tt**ks. T** `m*t*o*`'s rol* in **n*lin* *uil* p*r*m*t*