High severityNVD Advisory· Published Aug 31, 2021· Updated Aug 3, 2024

CVE-2021-21679

Description

Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that bypass CSRF protection for any target URL in Jenkins.

Vulnerability

Jenkins Azure AD Plugin (now Microsoft Entra ID Plugin) versions 179.vf6841393099e and earlier contain a vulnerability in the implementation of an extension point that selectively disables cross-site request forgery (CSRF) protection for specific URLs. The plugin's implementation is too permissive, allowing attackers to craft URLs that bypass the CSRF protection of any target URL in Jenkins [1][2]. This vulnerability was originally introduced in an earlier version of the plugin.

Exploitation

An attacker with network access to a Jenkins instance can craft a malicious URL that exploits the overly permissive CSRF bypass. The attacker can then trick an authenticated Jenkins user into clicking the crafted URL, or if the attacker has direct access (e.g., via a compromised agent), they can send the request directly. No authentication is required to craft the URL, but the attacker must be able to deliver it to a victim or to the Jenkins server [1].

Impact

Successful exploitation allows the attacker to perform any action on Jenkins that the victim user has permission to execute, without needing a valid CSRF token. This can lead to unauthorized configuration changes, job execution, credential access, or full compromise of the Jenkins instance if the victim has administrative privileges [1].

Mitigation

The vulnerability is fixed in Azure AD Plugin version 180.v8b1e80e6f242, released on 2021-08-31 [2]. Users should upgrade to this version or later immediately. No workarounds are documented. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:azure-adMaven	< 180.v8b1e80e6f242	180.v8b1e80e6f242

Affected products

Jenkins Project/Azure AD Pluginllm-fuzzy
Range: <=179.vf6841393099e
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/azure-ad
Range: < 180.v8b1e80e6f242
Jenkins Project/Azure VM Agents Plugincpe-rescue
Range: 164.v5b48baa961d2

Patches

8b1e80e6f242

SECURITY-2470

https://github.com/jenkinsci/azure-ad-pluginTim JacombAug 23, 2021via ghsa

commit

2 files changed · +6 −2

src/main/frontend/index.ts+5 −1 modified

@@ -10,5 +10,9 @@ document.addEventListener('DOMContentLoaded', (_) => {
         .replace('configureSecurity/', '')
         .replace('configure', '');
 
-    Providers.globalProvider = new ProxyProvider(`${endStrippedCurrentUrl}/GraphProxy`);
+    Providers.globalProvider = new ProxyProvider(`${endStrippedCurrentUrl}/GraphProxy`, async () => {
+        return {
+            [document.head.dataset.crumbHeader as string]: document.head.dataset.crumbValue,
+        };
+    });
 })

src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java+1 −1 modified

@@ -701,7 +701,7 @@ public static final class CrumbExempt extends CrumbExclusion {
         public boolean process(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
                 throws IOException, ServletException {
             String pathInfo = request.getPathInfo();
-            if (pathInfo != null && (pathInfo.equals(CALLBACK_URL) || pathInfo.endsWith("GraphProxy/v1.0/$batch"))) {
+            if (pathInfo != null && pathInfo.equals(CALLBACK_URL)) {
                 chain.doFilter(request, response);
                 return true;
             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-x77r-7m5w-pqq2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-21679ghsaADVISORY
www.openwall.com/lists/oss-security/2021/08/31/1ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/azure-ad-plugin/commit/8b1e80e6f242275127ebb177e2a755a2104b4853ghsaWEB
www.jenkins.io/security/advisory/2021-08-31/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2021-08-31
Jenkins Security Advisories · Aug 31, 2021

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000