8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21659

GHSA ID

GHSA-34j5-c4cv-mmg5

EPSS Score

0.78457%

CWE

CWE-611

Published

5/24/2022

Updated

10/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21659

CVE-2021-21659: XXE vulnerability in Jenkins URLTrigger Plugin

Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined for changes to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the polling Jenkins controller or agent, server-side request forgery, or denial-of-service attacks.

UJenkins RLTrigger Plugin 0.49 disables external entity resolution for its XML parser.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21659

GHSA ID

GHSA-34j5-c4cv-mmg5

EPSS Score

0.78457%

CWE

CWE-611

Published

5/24/2022

Updated

10/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:urltrigger	maven	<= 0.48	0.49

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parser configuration in the URLTrigger Plugin. The advisory explicitly states the parser wasn't configured to prevent XXE, and the fix involved disabling external entity resolution. The most likely vulnerable functions are those handling XML content parsing from URLs. The 'checkURL' method would initiate content retrieval/processing, while 'XMLContentType#parseContent' would directly handle XML parsing. Both would require secure parser configuration (disabling DTDs/external entities) to mitigate XXE, which was missing in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins URLTri***r Plu*in *.** *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks. T*is *llows *tt**k*rs wit* Jo*/*on*i*ur* p*rmission or ot**rwis* **l* to *ontrol t** *ont*nts o* *n URL to *n XML *o*um*nt **i

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion in t** URLTri***r Plu*in. T** **visory *xpli*itly st*t*s t** p*rs*r w*sn't *on*i*ur** to pr*v*nt XX*, *n* t** *ix involv** *is**lin* *xt*rn*l *ntity r*solution. T** most lik*ly vuln*r**l*

8.1

Basic Information

Concerned about an active attack path?

CVE-2021-21659: XXE vulnerability in Jenkins URLTrigger Plugin

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI