{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.274", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "LTS 2.263.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T15:50:26.853Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21608", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.274"}, {"version_affected": "<=", "version_value": "LTS 2.263.1"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:16:23.633Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2021-21608", "datePublished": "2021-01-13T15:55:30", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:16:23.633Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "1D0A8DA2-6151-430D-9FC2-1332E25B4E3B", "versionEndIncluding": "2.263.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "9A6F1AB1-BFB3-448F-BDAC-2A3487CBFEB6", "versionEndIncluding": "2.274", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels."}, {"lang": "es", "value": "Jenkins versiones 2.274 y anteriores, LTS versiones 2.263.1 y anteriores, no escapan las etiquetas de los botones en la Interfaz de Usuario de Jenkins, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) explotable por unos atacantes con la habilidad de controlar unas etiquetas de unos botones."}], "id": "CVE-2021-21608", "lastModified": "2024-11-21T05:48:41.473", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-13T16:15:13.837", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0637", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-0:2.263.3.1612433584-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "conmon-2:2.0.21-1.rhaos4.5.el8", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "jenkins-0:2.263.3.1612434332-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "machine-config-daemon-0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift-0:4.5.0-202102050524.p0.git.0.9229406.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift-ansible-0:4.5.0-202102031005.p0.git.0.c6839a2.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift-clients-0:4.5.0-202102051529.p0.git.3612.61b096a.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0429", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "runc-0:1.0.0-72.rhaos4.5.giteadfc6b.el8", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0423", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "jenkins-0:2.263.3.1612434510-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-02-17T00:00:00Z"}], "bugzilla": {"description": "jenkins: Stored XSS vulnerability in button labels", "id": "1925140", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925140"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.", "A flaw was found in jenkins. A cross-site scripting (XSS) vulnerability, due to the button labels not being properly escaped, can allow an attacker to control button labels. The highest threat from this vulnerability is to data confidentiality and integrity."], "name": "CVE-2021-21608", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat Fuse 7"}], "public_date": "2021-01-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21608\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21608"], "threat_severity": "Important", "upstream_fix": "jenkins 2.275, jenkins LTS 2.263.2"}