Login Sign Up

CVE-2021-21658

9.1 CRITICAL
XXE

📋 TL;DR

The Jenkins Nuget Plugin 1.0 and earlier contains an XML External Entity (XXE) vulnerability due to improper XML parser configuration. This allows attackers to read arbitrary files from the Jenkins controller file system and potentially perform server-side request forgery. All Jenkins instances using the vulnerable Nuget Plugin are affected.

💻 Affected Systems

Products:
  • Jenkins Nuget Plugin
Versions: 1.0 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Nuget Plugin to be installed and enabled. Jenkins instances without this plugin are not affected.

📦 What is this software?

Nuget by Jenkins

View all CVEs affecting Nuget →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller with arbitrary file read, potential credential theft, and server-side request forgery leading to internal network reconnaissance.

🟠

Likely Case

Unauthorized file system access to read sensitive configuration files, credentials, or source code from the Jenkins controller.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions, though file read capability remains possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to Jenkins with permissions to configure Nuget packages. XXE attacks are well-documented with available tooling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Nuget Plugin 1.1

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-05-25/#SECURITY-2340

Restart Required: Yes

Instructions:

1. Update Jenkins Nuget Plugin to version 1.1 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version in Manage Jenkins > Manage Plugins > Installed tab.

🔧 Temporary Workarounds

Disable Nuget Plugin

all

Temporarily disable the vulnerable plugin if immediate patching is not possible.

Navigate to Manage Jenkins > Manage Plugins > Installed tab, find Nuget Plugin, click Disable

Restrict Jenkins User Permissions

linux/windows

Limit file system access for the Jenkins service account to reduce impact.

chmod 700 /var/lib/jenkins (Linux)
icacls "C:\Program Files\Jenkins" /deny "jenkins_user":(OI)(CI)F (Windows)

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Jenkins from sensitive internal systems.
  • Apply file system permissions to restrict Jenkins service account access to sensitive directories.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin version: Navigate to Manage Jenkins > Manage Plugins > Installed tab, find Nuget Plugin, verify version is 1.0 or earlier.

Check Version:

curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -o '"shortName":"nuget","version":"[^"]*"'

Verify Fix Applied:

Confirm Nuget Plugin version is 1.1 or later in Manage Jenkins > Manage Plugins > Installed tab.

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors in Jenkins logs
  • Multiple failed Nuget package configuration attempts
  • File read operations from unexpected locations

Network Indicators:

  • HTTP requests to internal resources from Jenkins controller
  • Outbound connections to external XML entities

SIEM Query:

source="jenkins.log" AND ("XML" AND "entity" OR "nuget" AND "error")

📊 Metadata

CVE ID: CVE-2021-21658
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: May 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON