CVE-2021-21675 in requests-plugininfo

Summary

by MITRE • 07/01/2021

A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/09/2021

The vulnerability identified as CVE-2021-21675 represents a critical cross-site request forgery flaw within the Jenkins requests-plugin version 2.2.12 and earlier releases. This vulnerability resides in the plugin's handling of web requests and authentication mechanisms, creating a significant security risk for Jenkins environments that utilize this component. The requests-plugin is commonly used to manage and process HTTP requests within Jenkins pipelines and automation workflows, making it a critical component for many CI/CD operations.

The technical implementation of this CSRF vulnerability stems from insufficient validation of request origins and lack of proper anti-CSRF token mechanisms within the plugin's web endpoints. Attackers can exploit this weakness by crafting malicious web pages that automatically submit requests to the Jenkins instance, potentially leveraging the victim's authenticated session to perform unauthorized actions. The vulnerability specifically allows adversaries to create new requests and potentially have administrators approve pending requests, effectively granting them elevated privileges within the Jenkins environment.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it can enable attackers to manipulate the entire Jenkins request management system. When administrators interact with the affected plugin, they may unknowingly approve malicious requests that could lead to unauthorized code deployments, system configuration changes, or even complete system compromise. The vulnerability particularly affects environments where administrators frequently approve requests or where the plugin is used in automated workflows that require administrative approval, creating multiple attack vectors for exploitation.

Organizations using Jenkins with the affected requests-plugin version face significant risk of unauthorized access and potential system compromise. The vulnerability's exploitation requires minimal privileges from the attacker, as it leverages existing administrator sessions to perform malicious actions. Security teams should prioritize immediate remediation through plugin updates to version 2.2.13 or later, which contains the necessary CSRF protection mechanisms. Additionally, implementing network-level controls such as web application firewalls and monitoring for suspicious request patterns can provide additional defense-in-depth measures against exploitation attempts.

This vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in software applications. The flaw demonstrates poor input validation and authentication handling practices that violate fundamental security principles. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and credential access, as attackers can leverage the authenticated session to perform administrative actions within Jenkins. The attack surface is particularly concerning in continuous integration environments where automated systems may approve requests without proper manual verification, making the exploitation particularly dangerous for organizations relying on Jenkins for critical software delivery processes.

Reservation

01/04/2021

Disclosure

07/01/2021

Moderation

accepted

CPE

ready

EPSS

0.01256

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!