CVE-2021-21677 – This vulnerability in Jenkins Code Coverage API... (How to Fix)

Q: What is the severity of CVE-2021-21677?

CVE-2021-21677 has a CVSS score of 8.8 (HIGH). This vulnerability in Jenkins Code Coverage API Plugin allows attackers to execute arbitrary code on Jenkins servers by exploiting insecure deserialization of Java objects from disk. It affects Jenkins instances running Code Coverage API Plugin version 1.4.0 or earlier. Attackers can achieve remote code execution without authentication if they can upload malicious files to the Jenkins server.

📋 TL;DR

This vulnerability in Jenkins Code Coverage API Plugin allows attackers to execute arbitrary code on Jenkins servers by exploiting insecure deserialization of Java objects from disk. It affects Jenkins instances running Code Coverage API Plugin version 1.4.0 or earlier. Attackers can achieve remote code execution without authentication if they can upload malicious files to the Jenkins server.

💻 Affected Systems

Products:

Jenkins Code Coverage API Plugin

Versions: 1.4.0 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Code Coverage API Plugin to be installed and enabled. Jenkins instances without this plugin are not affected.

📦 What is this software?

Code Coverage Api by Jenkins

View all CVEs affecting Code Coverage Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, steal credentials, install malware, or pivot to other systems in the network.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or installation of backdoors on vulnerable Jenkins servers.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized file uploads to Jenkins.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to upload malicious files to the Jenkins server, which may require some level of access depending on configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2376

Restart Required: Yes

Instructions:

1. Update Jenkins Code Coverage API Plugin to version 1.4.1 or later via Jenkins Plugin Manager. 2. Restart Jenkins service to apply the update.

🔧 Temporary Workarounds

Disable Code Coverage API Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find 'Code Coverage API' > Click 'Disable'

Restrict file upload capabilities

all

Implement strict controls on file uploads to Jenkins server

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jenkins servers from sensitive systems
Apply principle of least privilege to Jenkins service accounts and restrict file system write permissions

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Code Coverage API Plugin version. If version is 1.4.0 or earlier, the system is vulnerable.

Check Version:

Check via Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab > Find 'Code Coverage API'

Verify Fix Applied:

Verify Code Coverage API Plugin version is 1.4.1 or later in Jenkins Plugin Manager.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload activities to Jenkins
Suspicious Java deserialization errors in Jenkins logs
Unexpected process execution from Jenkins service account

Network Indicators:

Unusual outbound connections from Jenkins server
File uploads to Jenkins endpoints from unexpected sources

SIEM Query:

source="jenkins.log" AND ("deserialization" OR "CodeCoverageAction" OR "upload")

📊 Metadata

CVE ID: CVE-2021-21677

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: August 31, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/08/31/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2376 Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/08/31/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2376 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21677, you might also want to check these: