CVE-2021-21676
Description
Jenkins requests-plugin Plugin 2.2.7 and earlier lacks a permission check, allowing attackers with Overall/Read to send test emails to arbitrary addresses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins requests-plugin Plugin 2.2.7 and earlier lacks a permission check, allowing attackers with Overall/Read to send test emails to arbitrary addresses.
Vulnerability
Jenkins requests-plugin Plugin versions 2.2.7 and earlier do not perform a permission check in an HTTP endpoint [1][2]. This allows an attacker with only the Overall/Read permission to exploit the missing authorization to send test emails [1][2].
Exploitation
An attacker needs a Jenkins account with the Overall/Read permission, which is typically granted to most authenticated users. No additional privileges are required [1][2]. The attacker sends a crafted HTTP request to the vulnerable endpoint, specifying an arbitrary recipient email address [1].
Impact
Successful exploitation allows the attacker to send test emails from the Jenkins server to an attacker-specified email address [1]. This can be used for email verification, spamming, or social engineering attacks. The impact is limited to sending emails and does not directly lead to data exfiltration or code execution [2].
Mitigation
Jenkins requests-plugin Plugin version 2.2.7 is listed as fixed; users should upgrade to version 2.2.8 or later [4]. If upgrading is not immediately possible, consider restricting the Overall/Read permission to trusted users as a workaround [2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:requestsMaven | < 2.2.8 | 2.2.8 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-w3gm-vv58-wr55ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21676ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/06/30/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2021-06-30/ghsax_refsource_CONFIRMWEB
- www.jenkins.io/security/advisory/2021-06-30/ghsaWEB
News mentions
1- Jenkins Security Advisory 2021-06-30Jenkins Security Advisories · Jun 30, 2021