CVE-2021-21667
Description
Jenkins Scriptler Plugin 3.2 and earlier stores parameter names unescaped, enabling stored XSS for users with Scriptler/Configure permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Scriptler Plugin 3.2 and earlier stores parameter names unescaped, enabling stored XSS for users with Scriptler/Configure permission.
Vulnerability
Jenkins Scriptler Plugin versions 3.2 and earlier fail to escape parameter names displayed in job configuration forms [1][2]. This allows an attacker with Scriptler/Configure permission to inject malicious script code into parameter names that will be stored and later rendered unsafely in the configuration UI.
Exploitation
An attacker must have the Scriptler/Configure permission in Jenkins. They can craft a parameter name containing JavaScript code when creating or editing a script via the Scriptler plugin [1][4]. When a user with sufficient privileges views the job configuration form, the injected script executes in the context of their session due to missing escaping [3].
Impact
Successful exploitation leads to stored cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the victim's browser, potentially stealing session cookies, modifying Jenkins configuration, or performing actions on behalf of the victim with the same privileges [1][4].
Mitigation
Jenkins released Scriptler Plugin version 3.3 containing the fix on June 16, 2021 [4]. All users should upgrade to 3.3 or later. The commit [3] addresses the escaping issue. No workarounds are documented for older versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:scriptlerMaven | < 3.3 | 3.3 |
Affected products
2- Range: unspecified
Patches
1ea9c4e6abdd1SECURITY-2224
1 file changed · +1 −1
src/main/webapp/lib/scriptler.js+1 −1 modified@@ -27,7 +27,7 @@ function scriptler_descArguments(referenceTag, params){ desc += j+": "+ params[j].name +" "; } var descriptionTag = document.getElementsByName('scriptlerParameters').item(i); - descriptionTag.innerHTML = desc; + descriptionTag.innerText = desc; } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-p479-rwhp-rwjxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21667ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/06/16/3ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/scriptler-plugin/commit/ea9c4e6abdd15ee4731e76bb7130069af6dfed88ghsaWEB
- www.jenkins.io/security/advisory/2021-06-16/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2021-06-16Jenkins Security Advisories · Jun 16, 2021