CVE-2021-21626
Description
Jenkins Warnings NG Plugin 8.4.4 and earlier lacks permission checks in form validation, allowing attackers with Item/Read to check file existence via pattern matching.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Warnings NG Plugin 8.4.4 and earlier lacks permission checks in form validation, allowing attackers with Item/Read to check file existence via pattern matching.
Vulnerability
Jenkins Warnings Next Generation Plugin versions 8.4.4 and earlier do not perform permission checks in methods implementing form validation. This allows an attacker with Item/Read permission to check whether attacker-specified file patterns match workspace contents, even without Item/Workspace or Item/Configure permissions [1].
Exploitation
An attacker with Item/Read permission can send crafted form validation requests to the plugin, supplying file patterns. The plugin evaluates these patterns against the workspace and returns whether any files match, thereby leaking information about the workspace structure [2].
Impact
This vulnerability leads to information disclosure, as an attacker can determine the existence of specific files or directories in the workspace. No other permissions are required beyond Item/Read [1][2].
Mitigation
The issue is fixed in Warnings Next Generation Plugin version 8.5.0. Users are advised to upgrade to this version or later. No workarounds are available [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:warnings-ngMaven | < 8.5.0 | 8.5.0 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-7j3x-xm4j-jfj7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21626ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/03/18/5ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2021-03-18/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2021-03-18Jenkins Security Advisories · Mar 18, 2021