4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-21640

GHSA ID

GHSA-w2hv-rcqr-2h7r

EPSS Score

0.37668%

CWE

CWE-240

Published

5/24/2022

Updated

12/7/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21640

CVE-2021-21640: View name validation bypass in Jenkins

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name. When a form to create a view is submitted, the name is included twice in the submission. One instance is validated, but the other instance is used to create the value.

This allows attackers with View/Create permission to create views with invalid or already-used names.

Jenkins 2.287, LTS 2.277.2 uses the same submitted value for validation and view creation.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-21640

CVE-2021-21640:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-21640

GHSA ID

GHSA-w2hv-rcqr-2h7r

EPSS Score

0.37668%

CWE

CWE-240

Published

5/24/2022

Updated

12/7/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	>= 2.278, <= 2.286	2.287
org.jenkins-ci.main:jenkins-core	maven	< 2.277.2	2.277.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the View.create method's handling of form submissions. The original code (before patch) directly used req.getSubmittedForm() without ensuring the 'name' parameter matched the validated value. The commit diff shows the fix explicitly injects the validated 'name' into the submitted form data before view creation. The test case ViewSEC1871Test demonstrates how inconsistent names in form fields could bypass validation, which this function's flawed implementation allowed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-21640: View name validation bypass in Jenkins

CVE-2021-21640:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2021-21640: View name validation bypass in Jenkins

4.3

4.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI