CVE-2021-21643

CWE-863Incorrect AuthorizationCWE-2816 documents6 sources
Severity
6.5MEDIUM
EPSS
0.8%
top 25.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Config File Provider PluginJenkins Config File Provider
Timeline
PublishedApr 21
Latest updateMay 24

Description

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

🔴Vulnerability Details

3
OSV
Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs2022-05-24
GHSA
Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs2022-05-24
CVEList
CVE-2021-21643: Jenkins Config File Provider Plugin 32021-04-21

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2021-04-212021-04-21
Red Hat
jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP endpoints.2021-04-21
CVE-2021-21643 (MEDIUM CVSS 6.5) | Jenkins Config File Provider Plugin | cvebase.io