CVE-2021-21645

CWE-281 CWE-862 — Missing Authorization6 documents6 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 69.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Config File Provider Plugin Jenkins Config File Provider

Timeline

PublishedApr 21

Latest updateMay 24

Description

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:config-file-provider< 3.7.1

▶CVEListV5jenkins_project/jenkins_config_file_provider_pluginunspecified — 3.7.0

▶NVDjenkins/config_file_provider3.7.0

🔴Vulnerability Details

OSV

Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs↗2022-05-24

▶

GHSA

Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs↗2022-05-24

▶

CVEList

CVE-2021-21645: Jenkins Config File Provider Plugin 3↗2021-04-21

▶

📋Vendor Advisories

Red Hat

jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.↗2021-04-21

▶

Jenkins

Jenkins Security Advisory 2021-04-21↗2021-04-21

▶