CVE-2021-21668

Vulnerability

Jenkins Scriptler Plugin 3.1 and earlier does not escape script content when rendering it in the plugin's web interface, leading to a stored cross-site scripting (XSS) vulnerability [1][3][4]. The affected code path is in the script editor/view page, where any Groovy script saved by a user is displayed without HTML encoding. Users with Scriptler/Configure permission can store arbitrary script content [4]. No additional configuration is required to expose the vulnerability once the malicious script is saved.

Exploitation

An attacker must have Scriptler/Configure permission in Jenkins [1][4]. The attacker creates or edits a script in the Scriptler plugin's UI and inserts malicious JavaScript payloads into the script content (e.g., ``). When any user (including administrators) views that script's detail page, the payload executes in the context of the victim's browser session [1][2][4]. No user interaction beyond viewing the script is needed.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or performing administrative actions on behalf of the victim [1][4]. The impact is the disclosure or modification of Jenkins configuration and build artifacts accessible to the victim's session.

Mitigation

Scriptler Plugin version 3.2 escapes script content and fixes this vulnerability [3][4]. All users should upgrade to version 3.2 or later immediately. There is no known workaround for affected versions [4].