Miggo Logo

CVE-2021-21661: Missing Authorization in Jenkins Kubernetes CLI Plugin

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.52525%
Published
6/16/2021
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:kubernetes-climaven< 1.10.11.10.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing permission checks in HTTP endpoints handling credential operations. Jenkins plugin patterns indicate credential-related endpoints typically use doFill[...]Items for dropdown population and doCheck[...] for validation. The security advisory specifically calls out credential ID enumeration via unprotected endpoints, which would map to these methods. While exact code isn't available, Jenkins' convention for form validation methods and the advisory's technical details support this mapping. Confidence is medium due to reliance on plugin conventions rather than direct patch inspection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Ku**rn*t*s *LI Plu*in *.**.* *n* **rli*r *o*s not p*r*orm p*rmission ****ks in s*v*r*l *TTP *n*points, *llowin* *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *num*r*t* *r***nti*ls I*s o* *r***nti*ls stor** in J*nkins.

Reasoning

T** vuln*r**ility st*ms *rom missin* p*rmission ****ks in *TTP *n*points **n*lin* *r***nti*l op*r*tions. J*nkins plu*in p*tt*rns in*i**t* *r***nti*l-r*l*t** *n*points typi**lly us* `*o*ill[...]It*ms` *or *rop*own popul*tion *n* `*o****k[...]` *or v*l