CVE-2021-21660: XSS vulnerability in Jenkins Markdown Formatter Plugin
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.47731%
CWE
Published
5/24/2022
Updated
12/22/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| io.jenkins.plugins:markdown-formatter | maven | <= 0.1.0 | 0.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper URL sanitization in markdown link rendering. The pre-patch code used Flexmark library's HtmlRenderer with escapeHtml(true) but lacked URL sanitization features. The critical fix in the commit switched to CommonMark's HtmlRenderer with both escapeHtml(true) and sanitizeUrls(true), explicitly addressing URL schemes. The test case changes demonstrate that previously dangerous links like click me were not properly neutralized, while post-patch they get sanitized with 'nofollow' and empty hrefs. The translate method is directly responsible for parsing and rendering user-controlled markdown content, making it the vulnerable entry point.