CVE-2021-21680: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2021-21680 affects the Jenkins Nested View Plugin versions 1.20 and earlier. This security flaw was discovered and reported by Brian Hysell from Synopsys Software Integrity Group, and was publicly disclosed on August 31, 2021. The vulnerability is related to an XML external entity (XXE) attack vulnerability in the plugin's XML transformer configuration (Jenkins Advisory).

The vulnerability is classified as High severity and involves the plugin's failure to configure its XML transformer to prevent XML external entity (XXE) attacks. This security issue allows attackers with the ability to configure views to exploit the vulnerability by having Jenkins parse specially crafted view XML definitions that utilize external entities (Jenkins Advisory, OSS Security).

When successfully exploited, this vulnerability enables attackers to extract secrets from the Jenkins controller or perform server-side request forgery (SSRF) attacks through crafted view XML definitions (Jenkins Advisory).

The vulnerability has been fixed in Nested View Plugin version 1.21, which disables external entity resolution for its XML transformer. Users are strongly advised to upgrade to this version to protect against XXE attacks (Jenkins Advisory).