CVE-2021-21610 - log back

CVE-2021-21610 edited at 13 Jan 2021 15:13:55
References
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2153
+ https://github.com/jenkinsci/jenkins/commit/89ec0c40b68cd1e4e9f9ef5ebcafd87e7fa16589
CVE-2021-21610 edited at 13 Jan 2021 15:02:53
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Cross-site scripting
Description
+ Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like Anything Goes Formatter Plugin. Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.
References
+ https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2153
Notes
CVE-2021-21610 created at 13 Jan 2021 14:47:46