Login Sign Up

CVE-2021-21633

8.8 HIGH
CSRF

📋 TL;DR

This CSRF vulnerability in Jenkins OWASP Dependency-Track Plugin allows attackers to trick authenticated users into connecting to malicious URLs, potentially stealing Jenkins credentials. It affects Jenkins instances with the vulnerable plugin installed. Attackers can capture sensitive credentials stored in Jenkins.

💻 Affected Systems

Products:
  • Jenkins OWASP Dependency-Track Plugin
Versions: 3.1.0 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the plugin to be installed and configured in Jenkins. Jenkins itself must be accessible to attackers.

📦 What is this software?

Owasp Dependency Track by Jenkins

View all CVEs affecting Owasp Dependency Track →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal Jenkins credentials, gain full administrative access to Jenkins, and potentially compromise the entire CI/CD pipeline and connected systems.

🟠

Likely Case

Attackers capture credentials with sufficient permissions to access sensitive build artifacts, modify configurations, or deploy malicious code.

🟢

If Mitigated

With proper CSRF protections and network segmentation, impact is limited to credential exposure without lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious pages. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.1

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-03-30/#SECURITY-2250

Restart Required: Yes

Instructions:

1. Update Jenkins OWASP Dependency-Track Plugin to version 3.1.1 or later via Jenkins Plugin Manager. 2. Restart Jenkins after update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin if immediate patching isn't possible.

Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find 'OWASP Dependency-Track Plugin' > Disable

Enable CSRF Protection

all

Ensure Jenkins CSRF protection is enabled globally.

Navigate to Jenkins > Manage Jenkins > Configure Global Security > Check 'Prevent Cross Site Request Forgery exploits'

🧯 If You Can't Patch

  • Restrict network access to Jenkins to trusted IPs only
  • Implement strict Content Security Policy headers

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find 'OWASP Dependency-Track Plugin'

Check Version:

curl -s http://jenkins-url/pluginManager/installed | grep -A2 'OWASP Dependency-Track Plugin'

Verify Fix Applied:

Verify plugin version is 3.1.1 or higher in Jenkins Plugin Manager

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin configuration changes
  • Failed authentication attempts from unexpected sources

Network Indicators:

  • Outbound connections from Jenkins to unexpected external URLs

SIEM Query:

source="jenkins.log" AND "OWASP Dependency-Track Plugin" AND ("configuration" OR "connection")

📊 Metadata

CVE ID: CVE-2021-21633
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: March 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21633, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)