CVE-2021-21604 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2021-21604?

CVE-2021-21604 has a CVSS score of 8.0 (HIGH). This vulnerability allows authenticated attackers with permission to create or configure objects in Jenkins to inject malicious content into Old Data Monitor. When an administrator discards this content, unsafe objects can be instantiated, potentially leading to remote code execution. Affects Jenkins versions 2.274 and earlier, and LTS 2.263.1 and earlier.

📋 TL;DR

This vulnerability allows authenticated attackers with permission to create or configure objects in Jenkins to inject malicious content into Old Data Monitor. When an administrator discards this content, unsafe objects can be instantiated, potentially leading to remote code execution. Affects Jenkins versions 2.274 and earlier, and LTS 2.263.1 and earlier.

💻 Affected Systems

Products:

Jenkins

Versions: Jenkins 2.274 and earlier, Jenkins LTS 2.263.1 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have permission to create or configure objects in Jenkins. Default installations grant these permissions to authenticated users with appropriate roles.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with administrative privileges on the Jenkins server, allowing complete system compromise.

🟠

Likely Case

Authenticated attackers with object creation permissions achieve remote code execution within Jenkins context.

🟢

If Mitigated

With proper access controls limiting object creation permissions, impact is limited to authorized users only.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to the internet with vulnerable versions are at significant risk if attackers obtain credentials.

🏢 Internal Only: MEDIUM - Internal Jenkins instances still face risk from insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access with object creation permissions. Attack chain involves content injection followed by administrator action to discard the content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.275, Jenkins LTS 2.263.2

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923

Restart Required: Yes

Instructions:

1. Backup Jenkins configuration and data. 2. Upgrade to Jenkins 2.275 or later, or Jenkins LTS 2.263.2 or later. 3. Restart Jenkins service. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Object Creation Permissions

all

Limit permissions for creating or configuring objects to trusted administrators only.

Manage Jenkins > Configure Global Security > Matrix-based security or Role-based strategy

🧯 If You Can't Patch

Implement strict access controls to limit object creation permissions to essential administrators only.
Monitor Old Data Monitor for suspicious content and administrator discard actions.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or via CLI: java -jar jenkins.war --version

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify version is 2.275 or later (or LTS 2.263.2 or later) and check that Old Data Monitor no longer accepts unsafe object injection.

📡 Detection & Monitoring

Log Indicators:

Unusual object creation events
Administrator discard actions in Old Data Monitor
Deserialization warnings in logs

Network Indicators:

Unusual Jenkins API calls for object creation
Suspicious payloads in Jenkins requests

SIEM Query:

source="jenkins.log" AND ("Old Data Monitor" OR "discard" OR "deserialization")

📊 Metadata

CVE ID: CVE-2021-21604

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: January 13, 2021

Last Updated: November 21, 2024

🔗 References

https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923 Vendor Advisory
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21604, you might also want to check these: