CVE-2021-21642: XEE
First published: Wed Apr 21 2021(Updated: )
A flaw was found in the config-file-provider Jenkins plugin. The plugin XML parser wasn't configure to prevent XML external entity (XXE) attacks. An attacker with the ability to define Maven configuration files can use this vulnerability to prepare a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <2-plugins-0:3.11.1624366838-1.el7 | 2-plugins-0:3.11.1624366838-1.el7 |
| redhat/jenkins | <2-plugins-0:4.5.1623326336-1.el7 | 2-plugins-0:4.5.1623326336-1.el7 |
| redhat/jenkins | <2-plugins-0:4.6.1623162648-1.el8 | 2-plugins-0:4.6.1623162648-1.el8 |
| redhat/cri-o | <0:1.20.2-12.rhaos4.7.git9f7be76.el8 | 0:1.20.2-12.rhaos4.7.git9f7be76.el8 |
| redhat/cri-tools | <0:1.20.0-3.el7 | 0:1.20.0-3.el7 |
| redhat/jenkins | <2-plugins-0:4.7.1621361158-1.el8 | 2-plugins-0:4.7.1621361158-1.el8 |
| redhat/redhat-release-coreos | <0:47.83-2.el8 | 0:47.83-2.el8 |
| Jenkins Config File Provider | <=3.7.0 | |
| maven/org.jenkins-ci.plugins:config-file-provider | <=3.7.0 | 3.7.1 |
Remedy
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-21642
- https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204
- http://www.openwall.com/lists/oss-security/2021/04/21/2
- https://github.com/jenkinsci/config-file-provider-plugin/commit/5f845bc015be769e595088bab11ec36c767671e1
- https://github.com/advisories/GHSA-q7xg-hh3q-hc68 (Advisory)
- https://access.redhat.com/errata/RHSA-2021:2122
- https://access.redhat.com/security/cve/cve-2021-21642
- https://access.redhat.com/errata/RHSA-2021:2517
- https://access.redhat.com/errata/RHSA-2021:2431
- https://bugzilla.redhat.com/show_bug.cgi?id=1952146
- https://www.cve.org/CVERecord?id=CVE-2021-21642 https://nvd.nist.gov/vuln/detail/CVE-2021-21642 https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204
- https://access.redhat.com/errata/RHBA-2021:2854
- https://access.redhat.com/errata/RHBA-2021:2407
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-21642?
CVE-2021-21642 is a vulnerability in the Jenkins Config File Provider Plugin that allows for XML external entity (XXE) attacks.
How severe is CVE-2021-21642?
CVE-2021-21642 has a severity rating of 8.1 (high).
Which software versions are affected by CVE-2021-21642?
Jenkins Config File Provider Plugin versions 3.7.0 and earlier are affected by CVE-2021-21642.
How can I fix CVE-2021-21642?
To fix CVE-2021-21642, upgrade to version 3.7.1 of the Jenkins Config File Provider Plugin.
Where can I find more information about CVE-2021-21642?
More information about CVE-2021-21642 can be found on the Jenkins.io and Red Hat websites.
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- collector/nvd-cve
- collector/github-advisory-latest
- alias/GHSA-q7xg-hh3q-hc68
- alias/CVE-2021-21642
- collector/github-advisory
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/references
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins config file provider
- version/jenkins config file provider/3.7.0
- package-manager/maven