Missing Permission Check in Jenkins Team Foundation Server Plugin by Jenkins
CVE-2021-21637

6.5MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Team Foundation Server Plugin
Vendor
CVE Published:
30 March 2021

Summary

The vulnerability in the Jenkins Team Foundation Server Plugin arises from a missing permission check that affects versions 5.157.1 and earlier. This flaw allows attackers, who possess Overall/Read permission, to connect to a URL of their choosing using compromised credentials obtained from another method. As a result, it exposes sensitive credentials stored within Jenkins, creating a risk for unauthorized access.

Affected Version(s)

Jenkins Team Foundation Server Plugin <= 5.157.1

References

https://www.jenkins.io/security/advisory/2021-03-30/#SECU...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2021/03/30/1
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.