{ "threat_severity" : "Low", "public_date" : "2021-04-07T00:00:00Z", "bugzilla" : { "description" : "jenkins: lack of type validation in agent related REST API", "id" : "1947102", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1947102" }, "cvss3" : { "cvss3_base_score" : "3.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.", "A flaw was found in Jenkins. Due to lack of validation of type of object created after loading the data submitted to the config.xml REST API endpoint of a node, an attackers with Computer/Configure permission are able to replace a node with one of a different type." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.7", "release_date" : "2021-05-19T00:00:00Z", "advisory" : "RHSA-2021:1551", "cpe" : "cpe:/a:redhat:openshift:4.7::el8", "package" : "jenkins-0:2.277.3.1620393611-1.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-07-27T00:00:00Z", "advisory" : "RHSA-2021:2437", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "jenkins-0:2.289.1.1624020353-1.el8" } ], "package_state" : [ { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Fix deferred", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.11" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-21639\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21639" ], "name" : "CVE-2021-21639", "csaw" : false }