Moderate severityNVD Advisory· Published Mar 30, 2021· Updated Aug 3, 2024

CVE-2021-21630

Description

Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Extra Columns Plugin 1.22 and earlier has a stored XSS via unsanitized parameter values in the build parameters column.

Jenkins Extra Columns Plugin up to version 1.22 fails to escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability [1][2]. This occurs because the plugin outputs parameter values directly into HTML without proper sanitization, allowing injection of malicious scripts.

To exploit this vulnerability, an attacker must have Job/Configure permission to set parameter values containing malicious code. Additionally, the view displaying the job must include the build parameters column. If the view does not have this column, the attacker also needs View/Configure permission to add it [1].

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of any user viewing the affected job's build parameters column. This could lead to session hijacking, data theft, or other malicious actions within Jenkins [1][2].

The vulnerability is fixed in Extra Columns Plugin version 1.23, released on March 30, 2021 [1][3]. Users are advised to upgrade to this version immediately. No workarounds are available.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:extra-columnsMaven	< 1.23	1.23

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/extra-columns
Range: < 1.23
Jenkins project/Jenkins Extra Columns Pluginv5
Range: unspecified

Patches

929887caba35

[SECURITY-2222]

https://github.com/jenkinsci/extra-columns-pluginFred GMar 25, 2021via ghsa

commit

2 files changed · +19 −6

src/main/java/jenkins/plugins/extracolumns/BuildParametersColumn.java+9 −5 modified

@@ -33,6 +33,10 @@
 import hudson.views.ListViewColumnDescriptor;
 import hudson.views.ListViewColumn;
 
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
 import org.kohsuke.stapler.DataBoundConstructor;
 
 public class BuildParametersColumn extends ListViewColumn {
@@ -59,23 +63,23 @@ public String getRegex(){
         return regex;
     }
 
-    public String getBuildParameters(Job<?, ?> job) {
+    public List<String> getBuildParameters(Job<?, ?> job) {
         if (job == null || job.getLastBuild() == null) {
-            return "";
+            return Collections.singletonList("");
         }
         Run<?, ?> r = job.getLastBuild();
-        StringBuilder s = new StringBuilder();
+        List<String> strings = new ArrayList<String>();
         for(Action action : r.getAllActions()) {
             if(action instanceof ParametersAction) {
                 ParametersAction pa = (ParametersAction)action;
                 for (ParameterValue p : pa.getParameters()) {
                     if(!isUseRegex() || p.getName().matches(regex)){
-                        s.append(p.getShortDescription()).append("<br/>");
+                        strings.add(p.getShortDescription());
                     }
                 }
             }
         }
-        return s.toString();
+        return strings;
     }
 
     @Extension

src/main/resources/jenkins/plugins/extracolumns/BuildParametersColumn/column.jelly+10 −1 modified

@@ -26,6 +26,15 @@
 <j:jelly xmlns:j="jelly:core">
   <j:set var="buildParameters" value="${it.getBuildParameters(job)}"/>
   <td>
-    <j:out value="${buildParameters}" />
+    <j:choose>
+      <j:when test="${size(buildParameters) lt 2}">
+      ${buildParameters[0]}
+      </j:when>
+      <j:otherwise>
+        <j:forEach var="buildParameter" items="${buildParameters}">
+        ${buildParameter}<br/>
+        </j:forEach>
+      </j:otherwise>
+    </j:choose>
   </td>
 </j:jelly>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-wx66-pm7r-2q82ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-21630ghsaADVISORY
www.openwall.com/lists/oss-security/2021/03/30/1ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/extra-columns-plugin/commit/929887caba35eb78a55fee31d08fb950200a92efghsaWEB
www.jenkins.io/security/advisory/2021-03-30/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2021-03-30
Jenkins Security Advisories · Mar 30, 2021

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000