CVE-2021-21675

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins requests-plugin Plugin versions 2.2.12 and earlier. This plugin allows non-admin users to send requests for job deletion, rename, build deletion, unlock, etc., and administrators to review and apply these requests. The plugin does not require a CSRF token for endpoints that create or apply requests, enabling an attacker to forge requests on behalf of an authenticated administrator [1][2].

Exploitation

An attacker can exploit this vulnerability by tricking a Jenkins administrator with sufficient permissions into visiting a malicious web page that contains crafted HTML/JavaScript. The attacker does not need any special privileges on the Jenkins instance beyond network access. The malicious page submits a cross-origin request to the Jenkins server, which is processed because the vulnerable endpoints do not enforce CSRF protection. The attacker can either create new requests (e.g., to delete a job) or force the administrator to apply pending requests [1][3].

Impact

Successful exploitation allows the attacker to perform arbitrary actions on the Jenkins instance that the targeted administrator can perform, such as deleting or renaming jobs, deleting or unlocking builds, or applying pending requests. This can lead to unauthorized modification or deletion of Jenkins resources, potentially causing disruption of service or data loss [1][2].

Mitigation

The vulnerability is fixed in requests-plugin version 2.2.13, released on June 30, 2021 [1][2]. Users should upgrade to this version immediately. No workarounds have been disclosed. All prior versions (2.2.12 and earlier) are considered vulnerable [4]. The CVE is not listed in the known exploited vulnerabilities (KEV) catalog as of the publication date.