CVE-2021-21647
Description
Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins CloudBees CD Plugin 1.1.21 and earlier lacks a permission check, allowing attackers with Item/Read to schedule builds without Item/Build.
Vulnerability
In Jenkins CloudBees CD Plugin 1.1.21 and earlier, an HTTP endpoint does not perform a permission check. This allows attackers who have at least Item/Read permission on a project to schedule builds of that project, even though they do not have the required Item/Build permission [1][2].
Exploitation
An attacker must have Item/Read permission on a Jenkins project (e.g., via a compromised low-privilege account or misconfigured authorization). With that permission, the attacker can send a crafted HTTP request to the vulnerable endpoint to trigger a build [3][4]. No additional authentication or user interaction is required beyond the initial credential compromise.
Impact
Successful exploitation bypasses the intended Item/Build permission boundary. The attacker can initiate builds of projects without authorization, potentially leading to unauthorized execution of build steps, resource consumption, or exposure of build output. The attacker does not gain code execution directly but can leverage the scheduled build to execute malicious pipeline code if other privileges permit [1][2].
Mitigation
Jenkins CloudBees CD Plugin version 1.1.22, released on April 21, 2021, fixes the permission check [3][4]. Users should upgrade to 1.1.22 or later. No workaround is documented; administrators can restrict Item/Read permissions to trusted users to reduce risk until an upgrade is applied.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:electricflowMaven | < 1.1.18.1 | 1.1.18.1 |
org.jenkins-ci.plugins:electricflowMaven | >= 1.1.19, < 1.1.22 | 1.1.22 |
Affected products
2- Jenkins project/Jenkins CloudBees CD Pluginv5Range: unspecified
Patches
1597cbb1d767a[SECURITY-2309]
1 file changed · +23 −0
src/main/java/org/jenkinsci/plugins/electricflow/rest/ElectricFlowEFRunAPIAction.java+23 −0 modified@@ -3,6 +3,7 @@ import hudson.model.Action; import hudson.model.Cause; import hudson.model.CauseAction; +import hudson.model.Item; import hudson.model.Job; import hudson.model.ParameterDefinition; import hudson.model.ParameterValue; @@ -73,6 +74,28 @@ public void doBuild(StaplerRequest req, StaplerResponse rsp // @QueryParameter("value") final String value, // JSONObject formData ) throws IOException, ServletException { + + if (!project.hasPermission(Item.BUILD)){ + String message = String.format( + "User is not authorized to queue builds for project '%s'", project.getDisplayName() + ); + + JSONObject responseObject = new JSONObject(); + + rsp.setStatus(403); + responseObject.put("status", "fail"); + responseObject.put("reason", message); + + OutputStream out = rsp.getOutputStream(); + String responseString = responseObject.toString(); + byte[] responseBytes = responseString.getBytes("UTF-8"); + rsp.setContentLength(responseBytes.length); + out.write(responseBytes); + out.flush(); + + return; + } + rsp.setStatus(201); // ServletInputStream is = req.getInputStream(); BufferedReader br = req.getReader();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7rx6-4vwv-432gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21647ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/04/21/2ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/electricflow-plugin/commit/597cbb1d767ae92c44b4cbd9525fa53ddab37117ghsaWEB
- www.jenkins.io/security/advisory/2021-04-21/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2021-04-21Jenkins Security Advisories · Apr 21, 2021