{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.274", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "LTS 2.263.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T15:50:22.296Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21604", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.274"}, {"version_affected": "<=", "version_value": "LTS 2.263.1"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502: Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:16:23.595Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2021-21604", "datePublished": "2021-01-13T15:55:28", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:16:23.595Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "1D0A8DA2-6151-430D-9FC2-1332E25B4E3B", "versionEndIncluding": "2.263.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "9A6F1AB1-BFB3-448F-BDAC-2A3487CBFEB6", "versionEndIncluding": "2.274", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator."}, {"lang": "es", "value": "Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, permite a atacantes con permiso para crear o configurar varios objetos para inyectar contenido dise\u00f1ado en Old Data Monitor que resulta en la instanciaci\u00f3n de objetos potencialmente no seguros una vez que son descartados por un administrador."}], "id": "CVE-2021-21604", "lastModified": "2024-11-21T05:48:41.053", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-13T16:15:13.523", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0637", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-0:2.263.3.1612433584-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "conmon-2:2.0.21-1.rhaos4.5.el8", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "jenkins-0:2.263.3.1612434332-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "machine-config-daemon-0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift-0:4.5.0-202102050524.p0.git.0.9229406.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift-ansible-0:4.5.0-202102031005.p0.git.0.c6839a2.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift-clients-0:4.5.0-202102051529.p0.git.3612.61b096a.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "runc-0:1.0.0-72.rhaos4.5.giteadfc6b.el8", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0423", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "jenkins-0:2.263.3.1612434510-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-02-17T00:00:00Z"}], "bugzilla": {"description": "jenkins: Improper handling of REST API XML deserialization errors", "id": "1925157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925157"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.", "A flaw was found in jenkins. An attacker with permission to create or configure various objects to inject crafted content into Old Data Monitor can cause the instantiation of potentially unsafe objects once discarded by an administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2021-21604", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat Fuse 7"}], "public_date": "2021-01-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21604\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21604"], "threat_severity": "Important", "upstream_fix": "jenkins 2.275, jenkins LTS 2.263.2"}