Miggo Logo
Miggo Vulnerability Database
CVE-2021-21654

CVE-2021-21654:
Missing Authorization in Jenkins P4 plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-21654
GHSA ID
GHSA-h6qv-f5gf-8gcf
EPSS Score
0.14874%
CWE
CWE-862
Published
6/16/2021
Updated
12/25/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:p4maven<= 1.11.41.11.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing permission checks in connection test endpoints. The commit diff shows:

  1. Both doTestConnection methods lacked Jenkins.ADMINISTER permission checks before patching
  2. The @POST annotation was added to enforce HTTP method safety
  3. Credential UI elements were wrapped in admin checks
  4. The CVE description specifically mentions unprotected HTTP endpoints allowing connection testing with attacker-controlled credentials
  5. The patch adds explicit Administer permission checks to these methods, confirming they were the vulnerable endpoints

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins P* Plu*in *.**.* *n* **rli*r *o*s not p*r*orm p*rmission ****ks in multipl* *TTP *n*points, *llowin* *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** P*r*or** s*rv*r usin* *tt**k*r-sp**i*i** us*rn*m* *n* p*sswor*. J

Reasoning

T** vuln*r**ility st*ms *rom missin* p*rmission ****ks in *onn**tion t*st *n*points. T** *ommit *i** s*ows: *. *ot* *oT*st*onn**tion m*t*o*s l**k** J*nkins.**MINIST*R p*rmission ****ks ***or* p*t**in* *. T** @POST *nnot*tion w*s ***** to *n*or** *TTP