Moderate severityNVD Advisory· Published Jun 30, 2021· Updated Aug 3, 2024

CVE-2021-21674

Description

Missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view pending requests.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view pending requests.

Vulnerability

The requests-plugin Plugin up to version 2.2.6 lacks a permission check in the endpoint that lists pending requests [1][2]. This affects Jenkins requests-plugin Plugin 2.2.6 and all earlier versions [1][4]. The vulnerability is identified as SECURITY-1995 [1].

Exploitation

An attacker needs only Overall/Read permission on the Jenkins controller [1]. No further authentication or special privileges are required. The attacker can send a request to the affected endpoint to view the list of pending requests [2][4].

Impact

The attacker gains the ability to view the list of pending requests, which may contain sensitive information about pending tasks, users, or other details [1][2]. This is an information disclosure vulnerability with a CVSS score of 3.1 (Low) [4], but it could lead to further reconnaissance.

Mitigation

The issue is fixed in requests-plugin versions 2.2.7, 2.2.8, and 2.2.13 [1][2][3]. Users should upgrade to one of these versions. For earlier versions, ensure that only trusted users have Overall/Read permission [1]. No workaround is provided apart from permission restriction.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:requestsMaven	< 2.2.7	2.2.7

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/requests
Range: < 2.2.7
Jenkins Project/requests-plugin Plugincpe-rescue
Range: unspecified

Patches

eb8ae816bbe7

SECURITY-1995

https://github.com/jenkinsci/requests-pluginJohn FlynnAug 31, 2020via ghsa

commit

1 file changed · +1 −1

src/main/resources/com/michelin/cio/jenkins/plugin/requests/RequestsPlugin/index.jelly+1 −1 modified

@@ -79,7 +79,7 @@
        );

     }

         </script>

-    <l:layout secured="true">

+    <l:layout permission="${it.requiredPermission}">

         <st:include it="${app}" page="sidepanel.jelly"/>

         <l:main-panel>            

             <h1>${%requests.plugin.title}</h1>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c4c3-3cgh-vvrhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-21674ghsaADVISORY
www.openwall.com/lists/oss-security/2021/06/30/1ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/requests-plugin/commit/eb8ae816bbe734203debe323c578adc41baac5f4ghsaWEB
www.jenkins.io/security/advisory/2021-06-30/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2021-06-30
Jenkins Security Advisories · Jun 30, 2021

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000