Jenkins XebiaLabs XL Deploy Plugin Vulnerability Exposes Credentials IDs to Unauthorized Users
CVE-2021-21662

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Xebialabs Xl Deploy Plugin
Vendor: CVE Published:; 10 June 2021

Summary

The Jenkins XebiaLabs XL Deploy Plugin version 10.0.1 and earlier contains a security flaw due to a missing permission check. This vulnerability enables attackers with Overall/Read permissions to enumerate the IDs of credentials stored within Jenkins, potentially exposing sensitive data. Administrators are urged to upgrade to the latest version of the plugin and review access permissions to mitigate the risk.

Affected Version(s)

Jenkins XebiaLabs XL Deploy Plugin <= 10.0.1

References

https://www.jenkins.io/security/advisory/2021-06-10/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2021/06/10/14

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 10, 2021
Vulnerability Reserved
Jan 4, 2021