8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-21659

GHSA ID

GHSA-34j5-c4cv-mmg5

EPSS Score

0.78457%

CWE

CWE-611

Published

5/24/2022

Updated

10/27/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21659

CVE-2021-21659: XXE vulnerability in Jenkins URLTrigger Plugin

Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined for changes to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the polling Jenkins controller or agent, server-side request forgery, or denial-of-service attacks.

UJenkins RLTrigger Plugin 0.49 disables external entity resolution for its XML parser.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-21659

CVE-2021-21659:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-21659

GHSA ID

GHSA-34j5-c4cv-mmg5

EPSS Score

0.78457%

CWE

CWE-611

Published

5/24/2022

Updated

10/27/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:urltrigger	maven	<= 0.48	0.49

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parser configuration in the URLTrigger Plugin. The advisory explicitly states the parser wasn't configured to prevent XXE, and the fix involved disabling external entity resolution. The most likely vulnerable functions are those handling XML content parsing from URLs. The 'checkURL' method would initiate content retrieval/processing, while 'XMLContentType#parseContent' would directly handle XML parsing. Both would require secure parser configuration (disabling DTDs/external entities) to mitigate XXE, which was missing in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-21659: XXE vulnerability in Jenkins URLTrigger Plugin

CVE-2021-21659:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2021-21659: XXE vulnerability in Jenkins URLTrigger Plugin

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.1

8.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI