CVE-2021-21657 – This vulnerability in Jenkins Filesystem Trigge... (How to Fix)

Q: What is the severity of CVE-2021-21657?

CVE-2021-21657 has a CVSS score of 8.8 (HIGH). This vulnerability in Jenkins Filesystem Trigger Plugin allows attackers to perform XML External Entity (XXE) attacks by exploiting improper XML parser configuration. Attackers can read arbitrary files from the Jenkins controller file system, potentially exposing sensitive data. All Jenkins instances using Filesystem Trigger Plugin version 0.40 or earlier are affected.

📋 TL;DR

This vulnerability in Jenkins Filesystem Trigger Plugin allows attackers to perform XML External Entity (XXE) attacks by exploiting improper XML parser configuration. Attackers can read arbitrary files from the Jenkins controller file system, potentially exposing sensitive data. All Jenkins instances using Filesystem Trigger Plugin version 0.40 or earlier are affected.

💻 Affected Systems

Products:

Jenkins Filesystem Trigger Plugin

Versions: 0.40 and earlier

Operating Systems: All operating systems running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when plugin is installed and configured to monitor file system changes. The XML parser vulnerability is present regardless of specific configuration.

📦 What is this software?

Filesystem Trigger by Jenkins

View all CVEs affecting Filesystem Trigger →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller with arbitrary file read, potentially exposing credentials, configuration files, and sensitive data stored on the server.

🟠

Likely Case

Unauthorized reading of sensitive files from Jenkins controller, including credentials, configuration files, and potentially source code.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions, though XXE attacks could still succeed if plugin is used.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to internet are directly vulnerable to XXE attacks if the plugin is enabled.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires attacker to have access to trigger file system monitoring events or control XML input to the plugin. XXE attacks are well-documented and relatively easy to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Filesystem Trigger Plugin 0.41 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-05-25/#SECURITY-2339

Restart Required: Yes

Instructions:

1. Update Jenkins to latest version. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Update Filesystem Trigger Plugin to version 0.41 or later. 4. Restart Jenkins service.

🔧 Temporary Workarounds

Disable Filesystem Trigger Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

Navigate to Manage Jenkins > Manage Plugins > Installed tab
Find Filesystem Trigger Plugin and click Disable

Remove plugin files

linux

Manually remove the plugin files from Jenkins installation

Stop Jenkins service
Remove $JENKINS_HOME/plugins/filesystem-trigger.jpi
Remove $JENKINS_HOME/plugins/filesystem-trigger directory
Start Jenkins service

🧯 If You Can't Patch

Disable Filesystem Trigger Plugin immediately
Implement strict network access controls to limit who can access Jenkins instance
Monitor file system access logs for unusual read patterns

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab, look for Filesystem Trigger Plugin version

Check Version:

Check $JENKINS_HOME/plugins/filesystem-trigger.jpi file version or use Jenkins CLI: java -jar jenkins-cli.jar -s http://localhost:8080/ list-plugins | grep filesystem-trigger

Verify Fix Applied:

Verify Filesystem Trigger Plugin version is 0.41 or higher in Manage Plugins interface

📡 Detection & Monitoring

Log Indicators:

Unusual file read operations in Jenkins logs
XML parsing errors related to external entities
Multiple failed authentication attempts followed by plugin usage

Network Indicators:

Unusual XML payloads sent to Jenkins endpoints
Outbound connections from Jenkins to unexpected external systems

SIEM Query:

source="jenkins.log" AND ("XXE" OR "external entity" OR "filesystem-trigger" AND "error")

📊 Metadata

CVE ID: CVE-2021-21657

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: May 25, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/05/25/3 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-05-25/#SECURITY-2339 Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/05/25/3 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-05-25/#SECURITY-2339 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON