Moderate severityNVD Advisory· Published Nov 12, 2021· Updated Aug 3, 2024

CVE-2021-21700

Description

Jenkins Scriptler Plugin 3.3 and earlier fails to escape script names in the deletion confirmation UI, allowing stored XSS by attackers who can create Scriptler scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Scriptler Plugin 3.3 and earlier fails to escape script names in the deletion confirmation UI, allowing stored XSS by attackers who can create Scriptler scripts.

Vulnerability

Jenkins Scriptler Plugin version 3.3 and earlier contains a stored cross-site scripting (XSS) vulnerability in the user interface. When the plugin asks a user to confirm deletion of a script, the script's name is rendered unsafely without proper HTML escaping. This allows an attacker who can create Scriptler scripts (i.e., users with the ability to add or modify scripts in the Scriptler plugin) to craft a malicious script name containing JavaScript code that will execute in the browser of any administrator or user who views the deletion confirmation dialog. The vulnerability is identified as CVE-2021-21700 (SECURITY-2406) [1][2].

Exploitation

An attacker requires the ability to create or modify Scriptler scripts within a Jenkins instance. This typically means the attacker has at least the Scriptler/AddScript and Scriptler/UpdateScript permissions. The attacker creates a new script with a crafted name containing JavaScript payload (e.g., ``). When a user with permission to delete scripts (usually an administrator) navigates to the script management page and clicks the delete action, the plugin displays a confirmation dialog that includes the unescaped script name. The malicious script executes in the context of the Jenkins web interface, leading to a stored XSS attack. No user interaction beyond clicking delete is required, and the malicious payload is stored on the server as part of the script name [2].

Impact

Successful exploitation results in arbitrary JavaScript execution in the browser of the victim user within the Jenkins web session. This can allow the attacker to perform actions on behalf of the victim, such as executing administrative operations, stealing session cookies, or modifying Jenkins configuration. The impact is limited to the privileges of the victim user, but since deletion of scripts is typically an administrative action, the victim is often an administrator. The vulnerability is rated as High severity on the CVSS scale [2].

Mitigation

Jenkins Scriptler Plugin version 3.4, released on November 12, 2021, escapes the script names in the deletion confirmation UI, fixing this vulnerability. Users should upgrade to Scriptler Plugin 3.4 or later immediately. No workaround is available for earlier versions. The plugin fix is part of the Jenkins Security Advisory 2021-11-12 [2][3].

References

[1] NVD - CVE-2021-21700 [2] Jenkins Security Advisory 2021-11-12 [3] oss-security mailing list announcement [4] Scriptler Plugin GitHub repository

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:scriptlerMaven	< 3.4	3.4

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/scriptler
Range: < 3.4
Jenkins Project/Scriptler Plugincpe-rescue
Range: unspecified

Patches

7e4fa9b51f37

SECURITY-2406

https://github.com/jenkinsci/scriptler-pluginMichael TughanOct 28, 2021via ghsa

commit

1 file changed · +3 −2

src/main/resources/org/jenkinsci/plugins/scriptler/ScriptlerManagement/index.jelly+3 −2 modified

@@ -67,7 +67,7 @@
 									<a href="editScript?id=${t.id}" class="scriptler-link-button scriptler-icon-slot">
 										<img width="16" height="16" title="${%edit script} ${t.name}" src="${imagesURL }/16x16/document_edit.gif" />
 									</a>
-									<form method="post" action="removeScript" class="scriptler-inline scriptler-icon-slot" onclick="return confirmDelete('${t.name}')">
+									<form method="post" action="removeScript" class="scriptler-inline scriptler-icon-slot" data-name="${t.name}" onclick="return confirmDelete(this)">
 										<input type="hidden" name="id" value="${t.id}" />
 										<button type="submit" name="submit_param" value="submit_value" class="scriptler-link-button">
 											<img width="16" height="16" title="${%remove script} ${t.name}" src="${imagesURL}/16x16/edit-delete.gif" />
@@ -99,7 +99,8 @@
 				</table>
 			</div>
     <script>
-    function confirmDelete(name) {
+    function confirmDelete(element) {
+      var name = element.getAttribute('data-name');
       if (confirm("Sure you want to delete ["+name+"]?")) {
         return true;
       }else{

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-f9gf-2q87-5m44ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-21700ghsaADVISORY
www.openwall.com/lists/oss-security/2021/11/12/1ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/scriptler-plugin/commit/7e4fa9b51f37714decca30a35dd81e41f72aec93ghsaWEB
www.jenkins.io/security/advisory/2021-11-12/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2021-11-12
Jenkins Security Advisories · Nov 12, 2021

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000