CVE-2021-21645
published 2021-04-21CVE-2021-21645: Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to…
PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.89%
54.7th percentile
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | cloudbees_cd_plugin | — | — |
| jenkins | config_file_provider | <= 3.7.0 | — |
| jenkins | config_file_provider_plugin | — | — |
| jenkins | ids_in_config_file_provider_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins | templating_engine_plugin | — | — |
| jenkins_project | jenkins_config_file_provider_plugin | unspecified – 3.7.0 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.
vendor_redhat·2021-04-21·CVSS 4.3
CVE-2021-21645 [MEDIUM] CWE-281 jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.
jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.
A flaw was found in the config-file-provider Jenkins plugin. The plugin does not perform permission checks in several HTTP endpoints, as a consequence an attacker with Overall/Read permission is allowed to enumerate configuration file IDs.
Jenkins
Jenkins Security Advisory 2021-04-21
vendor_jenkins·2021-04-21·CVSS 8.1
CVE-2021-21642 [HIGH] Jenkins Security Advisory 2021-04-21
Title: Jenkins Security Advisory 2021-04-21
Jenkins Security Advisory 2021-04-21
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
CloudBees CD
Plugin
Config File Provider
Plugin
Templating Engine
Plugin
Descriptions
XXE vulnerability in Config File Provider Plugin
SECURITY-2204
/
CVE-2021-21642
Severity
OSV
Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
osv·2022-05-24
CVE-2021-21645 [MEDIUM] Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration file IDs.
An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 requires the appropriate permissions.
GHSA
Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
ghsa·2022-05-24
CVE-2021-21645 [MEDIUM] CWE-862 Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration file IDs.
An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 requires the appropriate permissions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-04-21
Published