CVE-2021-21664

CWE-863 — Incorrect Authorization5 documents5 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 85.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Xebialabs XL Deploy Plugin Jenkins Xebialabs XL Deploy

Timeline

PublishedJun 10

Latest updateMay 24

Description

An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_xebialabs_xl_deploy_plugin7.5.9 — unspecified+1

▶NVDjenkins/xebialabs_xl_deploy10.0.1

▶Mavencom.xebialabs.deployit.ci:deployit-plugin< 10.0.2

🔴Vulnerability Details

OSV

Incorrect permission check in XebiaLabs XL Deploy Plugin allows capturing credentials↗2022-05-24

▶

GHSA

Incorrect permission check in XebiaLabs XL Deploy Plugin allows capturing credentials↗2022-05-24

▶

CVEList

CVE-2021-21664: An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10↗2021-06-10

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2021-06-10↗2021-06-10

▶