CVE-2021-21625

CWE-862 — Missing Authorization5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 91.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Cloudbees AWS Credentials Plugin Jenkins Cloudbees AWS Credentials

Timeline

PublishedMar 18

Latest updateMay 24

Description

Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_cloudbees_aws_credentials_pluginunspecified — 1.28

▶Mavenorg.jenkins-ci.plugins:aws-credentials< 1.28.1

▶NVDjenkins/cloudbees_aws_credentials1.28

🔴Vulnerability Details

OSV

Missing permission checks in Jenkins CloudBees AWS Credentials Plugin allows enumerating credentials IDs↗2022-05-24

▶

GHSA

Missing permission checks in Jenkins CloudBees AWS Credentials Plugin allows enumerating credentials IDs↗2022-05-24

▶

CVEList

CVE-2021-21625: Jenkins CloudBees AWS Credentials Plugin 1↗2021-03-18

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2021-03-18↗2021-03-18

▶