Login Sign Up

CVE-2021-21646

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Jenkins Templating Engine Plugin allows attackers with Job/Configure permission to bypass script security protections and execute arbitrary code on the Jenkins controller. This affects Jenkins instances using Templating Engine Plugin version 2.1 or earlier. Attackers can achieve remote code execution in the Jenkins JVM context.

💻 Affected Systems

Products:
  • Jenkins Templating Engine Plugin
Versions: 2.1 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have Job/Configure permission. Jenkins instances with this plugin installed are vulnerable regardless of OS.

📦 What is this software?

Templating Engine by Jenkins

View all CVEs affecting Templating Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller with attacker gaining full control over the Jenkins instance, potentially leading to lateral movement to other systems, data exfiltration, or deployment of persistent backdoors.

🟠

Likely Case

Attackers with Job/Configure permission execute arbitrary code to steal credentials, modify pipelines, or disrupt CI/CD operations.

🟢

If Mitigated

With proper access controls limiting Job/Configure permissions and network segmentation, impact is limited to authorized users only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires Job/Configure permission. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2311

Restart Required: Yes

Instructions:

1. Update Jenkins Templating Engine Plugin to version 2.2 or later via Jenkins Plugin Manager. 2. Restart Jenkins service. 3. Verify plugin version in Installed Plugins list.

🔧 Temporary Workarounds

Remove Templating Engine Plugin

all

Uninstall the vulnerable plugin if not required for operations

Manage Jenkins > Manage Plugins > Installed > Templating Engine Plugin > Uninstall

Restrict Job/Configure Permissions

all

Limit users with Job/Configure permission to trusted administrators only

Manage Jenkins > Configure Global Security > Authorization > Matrix-based security

🧯 If You Can't Patch

  • Implement strict access controls to limit Job/Configure permissions to essential administrators only
  • Network segment Jenkins instances and monitor for suspicious pipeline configuration changes

🔍 How to Verify

Check if Vulnerable:

Check Jenkins Plugin Manager for Templating Engine Plugin version. If version is 2.1 or earlier, system is vulnerable.

Check Version:

Navigate to Manage Jenkins > Manage Plugins > Installed > Search 'Templating Engine'

Verify Fix Applied:

Verify Templating Engine Plugin version is 2.2 or later in Jenkins Plugin Manager.

📡 Detection & Monitoring

Log Indicators:

  • Unusual pipeline configuration changes
  • Script security violations related to Templating Engine
  • Unauthorized Groovy script execution

Network Indicators:

  • Unexpected outbound connections from Jenkins controller
  • Suspicious payloads in Jenkins API requests

SIEM Query:

source="jenkins.log" AND ("Templating Engine" OR "SECURITY-2311" OR "CVE-2021-21646")

📊 Metadata

CVE ID: CVE-2021-21646
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: April 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON