4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21662

GHSA ID

GHSA-h246-g39x-7vmx

EPSS Score

0.3179%

CWE

CWE-862

Published

5/24/2022

Updated

12/22/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21662

CVE-2021-21662: Missing permission check in Jenkins XebiaLabs XL Deploy Plugin allows enumerating credentials IDs

Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in XebiaLabs XL Deploy Plugin 10.0.2 requires the appropriate permissions.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21662

GHSA ID

GHSA-h246-g39x-7vmx

EPSS Score

0.3179%

CWE

CWE-862

Published

5/24/2022

Updated

12/22/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.xebialabs.deployit.ci:deployit-plugin	maven	<= 10.0.1	10.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit 79ae204 explicitly adds permission checks to these two methods. The vulnerability description specifically mentions missing authorization in form validation methods for credential enumeration. The patched methods correspond to credential validation (doValidateCredential) and credential ID listing (doFillCredentialsIdItems) functionality, which would directly expose credential IDs if unprotected. The CWE-862 (Missing Authorization) alignment and the direct correlation between patch changes and vulnerability description confirm these as the vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins X**i*L**s XL **ploy Plu*in **.*.* *n* **rli*r *o*s not p*r*orm * p*rmission ****k in * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *num*r*t* *r***nti*ls I*s o* *r***nti*ls stor** in J*nkins. T*o

Reasoning

T** *ommit ******* *xpli*itly ***s p*rmission ****ks to t**s* two m*t*o*s. T** vuln*r**ility **s*ription sp**i*i**lly m*ntions missin* *ut*oriz*tion in *orm `v*li**tion` m*t*o*s *or *r***nti*l *num*r*tion. T** p*t**** m*t*o*s *orr*spon* to *r***nti*l

4.3

Basic Information

Concerned about an active attack path?

CVE-2021-21662: Missing permission check in Jenkins XebiaLabs XL Deploy Plugin allows enumerating credentials IDs

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI