Miggo Logo

CVE-2021-21652: CSRF vulnerability in Jenkins Xray - Test Management for Jira Plugin allows capturing credentials

7.1

CVSS Score
3.1

Basic Information

EPSS Score
0.29045%
Published
6/16/2021
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:xray-connectormaven< 2.4.12.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a connection test endpoint accepting non-POST requests. In Jenkins plugins, form validation endpoints like connection tests are typically implemented via doTestConnection methods in Descriptor classes. The advisory explicitly states the fix required POST requests, indicating the original implementation lacked proper HTTP method validation. This pattern matches Jenkins' security best practices where @RequirePOST annotations are required for state-changing operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Xr*y - T*st M*n***m*nt *or Jir* Plu*in *.*.* *n* **rli*r *o*s not r*quir* POST r*qu*sts *or * *onn**tion t*st m*t*o*, r*sultin* in * *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility. T*is vuln*r**ility *llows *tt**k*rs to *onn**t to *n *tt**k

Reasoning

T** vuln*r**ility st*ms *rom * *onn**tion t*st *n*point ****ptin* non-POST r*qu*sts. In J*nkins plu*ins, *orm v*li**tion *n*points lik* *onn**tion t*sts *r* typi**lly impl*m*nt** vi* `*oT*st*onn**tion` m*t*o*s in `**s*riptor` *l*ss*s. T** **visory *x