CVEbuzz: Security / vulnerability advisories for Jenkins Build With Parameters 1.3 for Jenkins

CPE for product: cpe:2.3:a:jenkins:build_with_parameters:1.3:*:*:*:*:jenkins:*:*

CVE-2021-21629	Maximal damage	8.8
	Easy to exploit

(other affected products)

Published: Tue Mar 30 12:16:00 2021 UTC. Last Modified: Fri Apr 2 17:41:00 2021 UTC

CPE matches: cpe:2.3:a:jenkins:build_with_parameters:*:*:*:*:*:jenkins:*:* && versionEndIncluding=1.5

Description

A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.

Damage

Complete loss of protection.
Access to all information.
Full Denial Of Service (DoS).

Attack conditions

Remote attacking is possible through the network and can be done by anyone (requires no authentication).
Human user action interaction is required for the attack.
The attack is estimated to have a high success rate, once attempted.

Damage and attack conditions obtained from CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (CVSSv3)

Type of bug(s)

CWE-352, Cross-Site Request Forgery (CSRF): The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

CVE-2021-21628	Medium-low damage	5.4
	Medium difficulty to exploit

(other affected products)

Published: Tue Mar 30 12:16:00 2021 UTC. Last Modified: Fri Apr 2 17:29:00 2021 UTC

CPE matches: cpe:2.3:a:jenkins:build_with_parameters:*:*:*:*:*:jenkins:*:* && versionEndIncluding=1.5

Description

Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Damage

Limited modification of data and/or system files.
Limited access to information.

Attack conditions

Remote attacking is possible through the network but requires the attacker to have regular user privileges.
Human user action interaction is required for the attack.
The attack is estimated to have a high success rate, once attempted.

Damage and attack conditions obtained from CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (CVSSv3)

Type of bug(s)

CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Security / vulnerability advisories for Jenkins Build With Parameters 1.3 for Jenkins

Titles listed in dictionary

Description

Damage

Attack conditions

Type of bug(s)

References

Description

Damage

Attack conditions

Type of bug(s)

References