{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","type":"apk","namespace":"alpine","name":"jenkins","version":"2.275-r0","qualifiers":{"arch":"aarch64","distroversion":"v3.12","reponame":"community"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.319.2-r0","latest_non_vulnerable_version":"2.319.3-r0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54548?format=json","vulnerability_id":"VCID-25cp-rjk4-gfdb","summary":"XSS vulnerability in Jenkins notification bar\nJenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button).\n\nThis results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents.\n\nJenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21603.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21603.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21603","reference_id":"","reference_type":"","scores":[{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54839","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54932","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54931","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54943","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54925","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54902","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.5494","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54922","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54898","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54917","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54892","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54816","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54887","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54913","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54883","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21603"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/f5d98421604e44f398e7de9d222b191a705608af","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/f5d98421604e44f398e7de9d222b191a705608af"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21603","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21603"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1889","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1889"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925160","reference_id":"1925160","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925160"},{"reference_url":"https://security.archlinux.org/ASA-202101-41","reference_id":"ASA-202101-41","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-41"},{"reference_url":"https://security.archlinux.org/AVG-1446","reference_id":"AVG-1446","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1446"},{"reference_url":"https://github.com/advisories/GHSA-98gq-6hxg-52r6","reference_id":"GHSA-98gq-6hxg-52r6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-98gq-6hxg-52r6"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0423","reference_id":"RHSA-2021:0423","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0429","reference_id":"RHSA-2021:0429","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0429"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21603","GHSA-98gq-6hxg-52r6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-25cp-rjk4-gfdb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58806?format=json","vulnerability_id":"VCID-25jg-8vxe-1feu","summary":"Missing permission check for paths with specific prefix in Jenkins\nJenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.\n\nJenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.\n\nThis allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:\n- `accessDenied`\n- `error`\n- `instance-identity`\n- `login`\n- `logout`\n- `oops`\n- `securityRealm`\n- `signup`\n- `tcpSlaveAgentListener`\n\nFor example, a plugin contributing the path `loginFoo/` would have URLs in that space accessible without the default Overall/Read permission check.\n\nThe Jenkins security team is not aware of any affected plugins as of the publication of this advisory.\n\nThe comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.\n\nIn case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `jenkins.model.Jenkins.additionalReadablePaths` is a comma-separated list of additional path prefixes to allow access to.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21609.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21609.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21609","reference_id":"","reference_type":"","scores":[{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.34959","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35496","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35507","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35463","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35441","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35481","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.3547","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35418","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35183","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.3516","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.3508","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.3532","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35518","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35544","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35426","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35472","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21609"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/fe9091fc74d55a56fd36544f3038d47c8cb331a4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/fe9091fc74d55a56fd36544f3038d47c8cb331a4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21609","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21609"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925141","reference_id":"1925141","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925141"},{"reference_url":"https://security.archlinux.org/ASA-202101-41","reference_id":"ASA-202101-41","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-41"},{"reference_url":"https://security.archlinux.org/AVG-1446","reference_id":"AVG-1446","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1446"},{"reference_url":"https://github.com/advisories/GHSA-4625-q52w-39cx","reference_id":"GHSA-4625-q52w-39cx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4625-q52w-39cx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0423","reference_id":"RHSA-2021:0423","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0429","reference_id":"RHSA-2021:0429","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0429"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21609","GHSA-4625-q52w-39cx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-25jg-8vxe-1feu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54688?format=json","vulnerability_id":"VCID-3y23-krs1-yudh","summary":"Excessive memory allocation in graph URLs leads to denial of service in Jenkins\nJenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics.\n\nJenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters.\n\nThis allows attackers to request or to have legitimate Jenkins users request crafted URLs that rapidly use all available memory in Jenkins, potentially leading to out of memory errors.\n\nJenkins 2.275, LTS 2.263.2 limits the maximum size of graphs to an area of 10 million pixels. If a larger size is requested, the default size for the graph will be rendered instead.\n\nThis threshold can be configured by setting the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.util.Graph.maxArea` to a different number on startup.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21607.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21607.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21607","reference_id":"","reference_type":"","scores":[{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.55963","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.5611","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56121","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56097","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56081","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56116","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56118","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56089","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56014","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56035","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.5601","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.55943","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56054","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56075","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56105","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21607"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/a890d68699ad6ca0c8fbc297a1d4b7ebf23f384b","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/a890d68699ad6ca0c8fbc297a1d4b7ebf23f384b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21607","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21607"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2025","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2025"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925156","reference_id":"1925156","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925156"},{"reference_url":"https://security.archlinux.org/ASA-202101-41","reference_id":"ASA-202101-41","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-41"},{"reference_url":"https://security.archlinux.org/AVG-1446","reference_id":"AVG-1446","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1446"},{"reference_url":"https://github.com/advisories/GHSA-cxqw-vjcr-gp5g","reference_id":"GHSA-cxqw-vjcr-gp5g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxqw-vjcr-gp5g"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0423","reference_id":"RHSA-2021:0423","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0429","reference_id":"RHSA-2021:0429","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0429"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21607","GHSA-cxqw-vjcr-gp5g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3y23-krs1-yudh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57815?format=json","vulnerability_id":"VCID-3ynh-xzxn-jkgy","summary":"Arbitrary file read vulnerability in workspace browsers in Jenkins\nThe file browser for workspaces, archived artifacts, and `$JENKINS_HOME/userContent/` follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.\n\nThis allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.\n\nThis issue is caused by an incomplete fix for SECURITY-904 / CVE-2018-1000862 in the [2018-12-08 security advisory](https://www.jenkins.io/security/advisory/2018-12-05/#SECURITY-904).\n\nJenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.\n\nThis fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21602.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21602.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21602","reference_id":"","reference_type":"","scores":[{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80474","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80377","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80395","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.8038","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80373","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80402","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80404","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80408","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80434","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80441","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80458","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80322","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80329","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80349","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80338","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01393","scoring_system":"epss","scoring_elements":"0.80366","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21602"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/71d2ecf1a4e5303e80815eaa3935c4f2fa3d9104","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/71d2ecf1a4e5303e80815eaa3935c4f2fa3d9104"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21602","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21602"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925161","reference_id":"1925161","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925161"},{"reference_url":"https://security.archlinux.org/ASA-202101-41","reference_id":"ASA-202101-41","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-41"},{"reference_url":"https://security.archlinux.org/AVG-1446","reference_id":"AVG-1446","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1446"},{"reference_url":"https://github.com/advisories/GHSA-vpjm-58cw-r8q5","reference_id":"GHSA-vpjm-58cw-r8q5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vpjm-58cw-r8q5"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0423","reference_id":"RHSA-2021:0423","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0429","reference_id":"RHSA-2021:0429","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0429"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21602","GHSA-vpjm-58cw-r8q5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3ynh-xzxn-jkgy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54546?format=json","vulnerability_id":"VCID-4y3h-rxbk-cua1","summary":"Arbitrary file existence check in file fingerprints in Jenkins\nJenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system.\n\nThis allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters.\n\nJenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21606.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21606.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21606","reference_id":"","reference_type":"","scores":[{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46202","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46294","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.4635","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46374","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46345","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46355","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46412","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46409","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46336","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46347","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46296","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46286","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46326","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46346","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21606"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/f576b2eb4375f2bb076ce477cee27a946b65f22a","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/f576b2eb4375f2bb076ce477cee27a946b65f22a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21606","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21606"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2023","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2023"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925159","reference_id":"1925159","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925159"},{"reference_url":"https://security.archlinux.org/ASA-202101-41","reference_id":"ASA-202101-41","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-41"},{"reference_url":"https://security.archlinux.org/AVG-1446","reference_id":"AVG-1446","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1446"},{"reference_url":"https://github.com/advisories/GHSA-f585-9fw3-rj2m","reference_id":"GHSA-f585-9fw3-rj2m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f585-9fw3-rj2m"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0423","reference_id":"RHSA-2021:0423","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0429","reference_id":"RHSA-2021:0429","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0429"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21606","GHSA-f585-9fw3-rj2m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4y3h-rxbk-cua1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54506?format=json","vulnerability_id":"VCID-5yuh-2e55-hfbt","summary":"Stored XSS vulnerability in Jenkins on new item page\nJenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page.\n\nThis results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.\n\nAs of the publication of this advisory, the Jenkins security team is not aware of any plugins published via the Jenkins project update center that allow doing this.\nJenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on the New Item page.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21611.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21611.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21611","reference_id":"","reference_type":"","scores":[{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54839","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54932","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54931","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54943","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54925","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54902","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.5494","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54922","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54898","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54917","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54892","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54816","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54887","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54913","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.54883","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21611"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/8c451b08886561a914ef0c30cbb9d40ea33a9bbe","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/8c451b08886561a914ef0c30cbb9d40ea33a9bbe"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21611","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21611"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2171","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2171"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925145","reference_id":"1925145","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925145"},{"reference_url":"https://security.archlinux.org/ASA-202101-41","reference_id":"ASA-202101-41","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-41"},{"reference_url":"https://security.archlinux.org/AVG-1446","reference_id":"AVG-1446","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1446"},{"reference_url":"https://github.com/advisories/GHSA-mj7q-cmf3-mg7h","reference_id":"GHSA-mj7q-cmf3-mg7h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mj7q-cmf3-mg7h"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0423","reference_id":"RHSA-2021:0423","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0429","reference_id":"RHSA-2021:0429","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0429"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21611","GHSA-mj7q-cmf3-mg7h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5yuh-2e55-hfbt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55024?format=json","vulnerability_id":"VCID-6rk7-hffm-nbau","summary":"Reflected XSS vulnerability in Jenkins markup formatter preview\nJenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered.\n\nJenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like [Anything Goes Formatter Plugin](https://plugins.jenkins.io/anything-goes-formatter/).\n\nJenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.\n\nIn case of problems with this change, these protections can be disabled by setting the [Java system properties](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.markup.MarkupFormatter.previewsAllowGET` to `true` and/or `hudson.markup.MarkupFormatter.previewsSetCSP` to `false`. Doing either is discouraged.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21610.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21610.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21610","reference_id":"","reference_type":"","scores":[{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55547","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55688","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55697","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55677","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55659","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55698","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55701","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55681","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55607","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55624","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.556","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55519","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55631","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55655","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55633","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.55685","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21610"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/89ec0c40b68cd1e4e9f9ef5ebcafd87e7fa16589","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/89ec0c40b68cd1e4e9f9ef5ebcafd87e7fa16589"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21610","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21610"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2153","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2153"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925151","reference_id":"1925151","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925151"},{"reference_url":"https://security.archlinux.org/ASA-202101-41","reference_id":"ASA-202101-41","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-41"},{"reference_url":"https://security.archlinux.org/AVG-1446","reference_id":"AVG-1446","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1446"},{"reference_url":"https://github.com/advisories/GHSA-7qf3-c2q8-69m3","reference_id":"GHSA-7qf3-c2q8-69m3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7qf3-c2q8-69m3"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0423","reference_id":"RHSA-2021:0423","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0429","reference_id":"RHSA-2021:0429","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0429"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21610","GHSA-7qf3-c2q8-69m3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6rk7-hffm-nbau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57594?format=json","vulnerability_id":"VCID-7fep-hazu-2fgt","summary":"Credentials stored in plain text by Jenkins Bumblebee HP ALM Plugin\nJenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file `com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml` on the Jenkins controller as part of its configuration.\n\nThese credentials can be viewed by users with access to the Jenkins controller file system.\n\nJenkins Bumblebee HP ALM Plugin 4.1.6 stores credentials encrypted once its configuration is saved again.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21614","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01476","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01396","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01385","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01378","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.0138","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01372","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01465","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01474","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01477","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01485","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01365","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01377","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01382","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01392","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21614"},{"reference_url":"https://github.com/jenkinsci/bumblebee-plugin","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/bumblebee-plugin"},{"reference_url":"https://github.com/jenkinsci/bumblebee-plugin/commit/7faf4bd6e702726bb7542f370cbdedcbfa340443","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/bumblebee-plugin/commit/7faf4bd6e702726bb7542f370cbdedcbfa340443"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21614","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21614"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2156","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2156"},{"reference_url":"https://github.com/advisories/GHSA-8v72-qr3h-c6rv","reference_id":"GHSA-8v72-qr3h-c6rv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8v72-qr3h-c6rv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21614","GHSA-8v72-qr3h-c6rv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7fep-hazu-2fgt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55918?format=json","vulnerability_id":"VCID-9zky-rdj1-pudy","summary":"Stored XSS vulnerability in Jenkins button labels\nJenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI.\n\nThis results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline `input` step.\n\nJenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21608.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21608.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21608","reference_id":"","reference_type":"","scores":[{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67666","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67567","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67619","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67632","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67655","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67641","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67608","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67643","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67634","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67653","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67664","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67531","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67568","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67589","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21608"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/8c451b08886561a914ef0c30cbb9d40ea33a9bbe","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/8c451b08886561a914ef0c30cbb9d40ea33a9bbe"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21608","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21608"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925140","reference_id":"1925140","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925140"},{"reference_url":"https://security.archlinux.org/ASA-202101-41","reference_id":"ASA-202101-41","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-41"},{"reference_url":"https://security.archlinux.org/AVG-1446","reference_id":"AVG-1446","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1446"},{"reference_url":"https://github.com/advisories/GHSA-wv63-gwr9-5c55","reference_id":"GHSA-wv63-gwr9-5c55","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wv63-gwr9-5c55"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0423","reference_id":"RHSA-2021:0423","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0429","reference_id":"RHSA-2021:0429","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0429"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21608","GHSA-wv63-gwr9-5c55"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9zky-rdj1-pudy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54770?format=json","vulnerability_id":"VCID-aver-ae34-63e3","summary":"Credentials stored in plain text by Jenkins TraceTronic ECU-TEST Plugin\nJenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file `de.tracetronic.jenkins.plugins.ecutest.report.atx.installation.ATXInstallation.xml` on the Jenkins controller as part of its configuration.\n\nThese credentials can be viewed by users with access to the Jenkins controller file system.\n\nJenkins TraceTronic ECU-TEST Plugin 2.24 adds a new option type for sensitive options. Previously stored credentials are migrated to that option type on Jenkins startup.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21612","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07398","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07447","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07436","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07362","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07348","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07476","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07426","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07397","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07231","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07361","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07406","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07389","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07444","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07467","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.0746","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21612"},{"reference_url":"https://github.com/jenkinsci/ecutest-plugin","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/ecutest-plugin"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21612","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21612"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2057","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2057"},{"reference_url":"https://github.com/advisories/GHSA-qvjr-x8fw-hghv","reference_id":"GHSA-qvjr-x8fw-hghv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qvjr-x8fw-hghv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21612","GHSA-qvjr-x8fw-hghv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aver-ae34-63e3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55091?format=json","vulnerability_id":"VCID-db62-2h4q-x7fv","summary":"Improper handling of REST API XML deserialization errors in Jenkins\nJenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.\n\nThis allows attackers with View/Create, Job/Create, Agent/Create, or their respective */Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.\\n\\nJenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore.\n\nIn case of problems, the [Java system properties](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.util.RobustReflectionConverter.recordFailuresForAdmins` and `hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications` can be set to true to record configuration data submissions from administrators or all users, partially or completely disabling this fix.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21604.json","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21604.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21604","reference_id":"","reference_type":"","scores":[{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74709","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74631","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74653","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74633","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74625","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74662","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74669","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74661","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74696","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74703","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74705","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74579","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74583","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.7461","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74584","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00835","scoring_system":"epss","scoring_elements":"0.74616","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21604"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/f1056bd814fc1f19ea241a101d649b8c143807e7","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/f1056bd814fc1f19ea241a101d649b8c143807e7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21604","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21604"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925157","reference_id":"1925157","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925157"},{"reference_url":"https://security.archlinux.org/ASA-202101-41","reference_id":"ASA-202101-41","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-41"},{"reference_url":"https://security.archlinux.org/AVG-1446","reference_id":"AVG-1446","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1446"},{"reference_url":"https://github.com/advisories/GHSA-qv6f-rcv6-6q3x","reference_id":"GHSA-qv6f-rcv6-6q3x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qv6f-rcv6-6q3x"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0423","reference_id":"RHSA-2021:0423","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0429","reference_id":"RHSA-2021:0429","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0429"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21604","GHSA-qv6f-rcv6-6q3x"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-db62-2h4q-x7fv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55061?format=json","vulnerability_id":"VCID-k4qu-2s5e-y3c9","summary":"XSS vulnerability in Jenkins TICS Plugin\nJenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses.\n\nThis results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.\n\nJenkins TICS Plugin 2020.3.0.7 escapes TICS service responses, or strips HTML out, as appropriate.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21613","reference_id":"","reference_type":"","scores":[{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47204","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47339","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47363","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47337","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47344","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47402","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47396","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47347","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47333","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47288","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47282","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47319","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.4734","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47287","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47342","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21613"},{"reference_url":"https://github.com/jenkinsci/tics-plugin","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/tics-plugin"},{"reference_url":"https://github.com/jenkinsci/tics-plugin/commit/a64493ccf81a241c5e51736721c4fe9a3e56622b","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/tics-plugin/commit/a64493ccf81a241c5e51736721c4fe9a3e56622b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21613","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21613"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2098","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2098"},{"reference_url":"https://github.com/advisories/GHSA-xmw5-45v9-pxqx","reference_id":"GHSA-xmw5-45v9-pxqx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xmw5-45v9-pxqx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21613","GHSA-xmw5-45v9-pxqx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k4qu-2s5e-y3c9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55078?format=json","vulnerability_id":"VCID-rrnb-9h1s-vkef","summary":"Path traversal vulnerability in Jenkins agent names\nJenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated `config.xml` files. If the global `config.xml` file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.\n\nJenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.\n\nIn case of problems, this change can be reverted by setting the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `jenkins.model.Nodes.enforceNameRestrictions` to `false`.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21605.json","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21605.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21605","reference_id":"","reference_type":"","scores":[{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63239","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63234","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63252","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63269","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63254","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63218","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63262","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.6324","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.6326","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63273","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63272","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63128","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63187","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63217","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63182","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21605"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/b19b34db4b24b163d4edc53ccb84f41a3589cb08","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/jenkins/commit/b19b34db4b24b163d4edc53ccb84f41a3589cb08"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21605","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21605"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2021","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2021"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925143","reference_id":"1925143","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1925143"},{"reference_url":"https://security.archlinux.org/ASA-202101-41","reference_id":"ASA-202101-41","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202101-41"},{"reference_url":"https://security.archlinux.org/AVG-1446","reference_id":"AVG-1446","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1446"},{"reference_url":"https://github.com/advisories/GHSA-pxgq-gqr9-5gwx","reference_id":"GHSA-pxgq-gqr9-5gwx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pxgq-gqr9-5gwx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0423","reference_id":"RHSA-2021:0423","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0429","reference_id":"RHSA-2021:0429","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0429"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388389?format=json","purl":"pkg:apk/alpine/jenkins@2.275-r0?arch=aarch64&distroversion=v3.12&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}],"aliases":["CVE-2021-21605","GHSA-pxgq-gqr9-5gwx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rrnb-9h1s-vkef"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/jenkins@2.275-r0%3Farch=aarch64&distroversion=v3.12&reponame=community"}