{"containers": {"cna": {"affected": [{"product": "Jenkins Config File Provider Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "3.7.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T15:51:06.012Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204"}, {"name": "[oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21642", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Config File Provider Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "3.7.0"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611: Improper Restriction of XML External Entity Reference"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204"}, {"name": "[oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:16:23.884Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204"}, {"name": "[oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2021-21642", "datePublished": "2021-04-21T14:20:28", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:16:23.884Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:config_file_provider:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "D9585A7C-580E-4D27-9986-4F5EA086D70C", "versionEndIncluding": "3.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}, {"lang": "es", "value": "Jenkins Config File Provider Plugin versiones 3.7.0 y anteriores, no configuran su analizador XML para evitar ataques de tipo XML external entity (XXE)"}], "id": "CVE-2021-21642", "lastModified": "2024-11-21T05:48:45.227", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-21T15:15:08.287", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-controller-rhel8:v1.4.6-4", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-log-reader-rhel8:v1.4.6-4", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-must-gather-rhel8:v1.4.6-4", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-operator-bundle:v1.4.6-5", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-registry-rhel8:v1.4.6-4", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-rsync-transfer-rhel8:v1.4.6-4", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-ui-rhel8:v1.4.6-4", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8:v1.4.6-4", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8:v1.4.6-3", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8:v1.4.6-4", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8:v1.4.6-5", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-migration-velero-rhel8:v1.4.6-5", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHBA-2021:2854", "cpe": "cpe:/a:redhat:rhmt:1.4::el7", "package": "rhmtc/openshift-velero-plugin-rhel8:v1.4.6-4", "product_name": "Red Hat Migration Toolkit for Containers 1.4", "release_date": "2021-07-21T00:00:00Z"}, {"advisory": "RHSA-2021:2517", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-2-plugins-0:3.11.1624366838-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2021-06-30T00:00:00Z"}, {"advisory": "RHSA-2021:2431", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "jenkins-2-plugins-0:4.5.1623326336-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-07-02T00:00:00Z"}, {"advisory": "RHBA-2021:2407", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "jenkins-2-plugins-0:4.6.1623162648-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-06-22T00:00:00Z"}, {"advisory": "RHSA-2021:2122", "cpe": "cpe:/a:redhat:openshift:4.7::el7", "package": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-06-01T00:00:00Z"}, {"advisory": "RHSA-2021:2122", "cpe": "cpe:/a:redhat:openshift:4.7::el7", "package": "cri-tools-0:1.20.0-3.el7", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-06-01T00:00:00Z"}, {"advisory": "RHSA-2021:2122", "cpe": "cpe:/a:redhat:openshift:4.7::el7", "package": "jenkins-2-plugins-0:4.7.1621361158-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-06-01T00:00:00Z"}, {"advisory": "RHSA-2021:2122", "cpe": "cpe:/a:redhat:openshift:4.7::el7", "package": "redhat-release-coreos-0:47.83-2.el8", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-06-01T00:00:00Z"}], "bugzilla": {"description": "jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks.", "id": "1952146", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1952146"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-611", "details": ["Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.", "A flaw was found in the config-file-provider Jenkins plugin. The plugin XML parser wasn't configure to prevent XML external entity (XXE) attacks. An attacker with the ability to define Maven configuration files can use this vulnerability to prepare a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible."}, "name": "CVE-2021-21642", "public_date": "2021-04-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21642\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21642\nhttps://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204"], "threat_severity": "Important", "upstream_fix": "config-file-provider 3.7.1"}