8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-21633

GHSA ID

GHSA-v7xh-h48c-xw5f

EPSS Score

0.23143%

CWE

CWE-352

Published

5/24/2022

Updated

12/7/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21633

CVE-2021-21633: CSRF vulnerability and in Jenkins OWASP Dependency-Track Plugin allow capturing credentials

Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing "Secret text" credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential is used, if set up, and can likewise be captured.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Jenkins OWASP Dependency-Track Plugin 3.1.1 requires POST requests and appropriate permissions for the affected HTTP endpoints.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-21633

CVE-2021-21633:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-21633

GHSA ID

GHSA-v7xh-h48c-xw5f

EPSS Score

0.23143%

CWE

CWE-352

Published

5/24/2022

Updated

12/7/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:dependency-track	maven	<= 3.1.0	3.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows these functions were modified to add @POST annotations and permission checks (Jenkins.ADMINISTER/Item.CONFIGURE). Their pre-patch versions: 1) Accepted any HTTP method (CSRFable), 2) Lacked authorization checks, 3) Handled credential-related operations. This matches the vulnerability description of unauthorized credential capture via CSRF. The Jelly UI changes enforcing POST align with the endpoint hardening.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-21633: CSRF vulnerability and in Jenkins OWASP Dependency-Track Plugin allow capturing credentials

CVE-2021-21633:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

CVE-2021-21633: CSRF vulnerability and in Jenkins OWASP Dependency-Track Plugin allow capturing credentials

8.8

8.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI