CVE-2021-21646: Protection Mechanism Failure

May 24, 2022 (updated December 21, 2022)

Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

References

www.openwall.com/lists/oss-security/2021/04/21/2
github.com/advisories/GHSA-p6qc-37hq-wqr6
nvd.nist.gov/vuln/detail/CVE-2021-21646
www.jenkins.io/security/advisory/2021-04-21/

Code Behaviors & Features

Detect and mitigate CVE-2021-21646 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →