CVE-2021-21649: Cross-site Scripting in Jenkins Dashboard View Plugin
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.75793%
CWE
Published
6/16/2021
Updated
12/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:dashboard-view | maven | >= 2.13, < 2.16 | 2.16 |
org.jenkins-ci.plugins:dashboard-view | maven | < 2.12.1 | 2.12.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from unsanitized URL handling in Image Dashboard Portlets. The commit diff shows:
- The 'url' property was renamed to 'imageUrl' to enforce validation
- A new getUrlError() validation method was added to restrict URLs to http/https/relative
- The Jelly template (portlet.jelly) was modified to conditionally render based on URL validity
- The deprecated getUrl() method in ImagePortlet.java directly returned user input without validation
- Test cases demonstrate XSS prevention by validating against URLs like '<img/src/onerror=alert(...)' The pre-patch code path through getUrl() allowed arbitrary URL injection, while post-patch validation in getImageUrl() and isUrlValid() mitigates this.