CVE-2021-21635: 
Java vulnerability analysis and mitigation

CVE-2021-21635 (SECURITY-2261) affects the Jenkins REST List Parameter Plugin versions 1.3.0 and earlier. The vulnerability was discovered by Kevin Guerroudj and was disclosed on March 30, 2021. This security issue impacts the Jenkins automation server's REST List Parameter Plugin, which is a component used for parameter handling in Jenkins jobs (Jenkins Advisory, CVE Mitre).

The vulnerability is a stored cross-site scripting (XSS) vulnerability that occurs because the plugin does not escape a parameter name reference in embedded JavaScript. The severity is rated as High according to the CVSS scoring system. The technical issue specifically relates to how the plugin handles parameter name references within its JavaScript implementation (Jenkins Advisory).

This vulnerability can be exploited by attackers who have Job/Configure permission in Jenkins. When successfully exploited, it allows for stored cross-site scripting attacks through the manipulation of parameter name references in the embedded JavaScript (Jenkins Advisory).

The vulnerability has been fixed in REST List Parameter Plugin version 1.3.1, which no longer identifies parameters using user-specified content. Users are strongly advised to update to this version to address the security issue. The fix involves changing how parameters are identified in the plugin's implementation (Jenkins Advisory).