[org.jenkins-ci.plugins:templating-engine] Remote code execution vulnerability in Jenkins Templating Engine Plugin

Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin.

This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

Templating Engine Plugin 2.2 integrates with Script Security Plugin to protect its pipeline configurations.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-21646
• https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2311
• http://www.openwall.com/lists/oss-security/2021/04/21/2
• https://github.com/advisories/GHSA-p6qc-37hq-wqr6