Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

Only older releases of Jenkins are affected by this vulnerability. Jenkins 2.275 and newer, LTS 2.263.2 and newer include a protection preventing this from being exploitable.

Jenkins Kiuwan Plugin 1.6.1 escapes affected parts of the error message in the form validation endpoint.

Affected Packages

Maven org.jenkins-ci.plugins:kiuwanJenkinsPlugin

Affected versions: 0 (fixed in 1.6.1)

Related CVEs

CVE-2021-21666

Key Information

GHSA ID

GHSA-8h77-3xwr-hqhh

Published

June 16, 2021 5:10 PM

Last Modified

October 27, 2023 2:38 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:kiuwanJenkinsPlugin

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 27, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.