We use cookies to improve your experience on our site.
AVID-2026-R0716
Description
Vulnerability CVE-2021-21677
Details
Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.
Reason for inclusion in AVID: CVE-2021-21677 describes a remote code execution vulnerability in the Jenkins Code Coverage API Plugin due to improper deserialization protection. Jenkins is a CI/CD tool widely used in AI/ML pipelines for building, testing, packaging, and deploying models and related software. As such, this vulnerability affects a component in the software supply chain that AI systems rely on (CI/CD, artifact generation, and deployment pipelines). The CVE clearly describes a security vulnerability (RCE) with referenced advisories and sources, providing sufficient evidence for inclusion as an AI general-purpose software supply chain vulnerability.
References
- NVD entry
- https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2376
- http://www.openwall.com/lists/oss-security/2021/08/31/1
Affected or Relevant Artifacts
- Developer: Jenkins project
- Deployer: Jenkins project
- Artifact Details:
| Type | Name |
|---|---|
| System | Jenkins Code Coverage API Plugin |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2021-08-31
- Version: 0.3.3
- AVID Entry