Miggo Logo

CVE-2021-21664: Incorrect permission check in XebiaLabs XL Deploy Plugin allows capturing credentials

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.14381%
Published
5/24/2022
Updated
12/21/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.xebialabs.deployit.ci:deployit-pluginmaven<= 10.0.110.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability stemmed from Credential.java's doValidateCredential method where the permission check was improperly implemented. The patch shows this method initially lacked any permission check, then added a check for Permission.CREATE (insufficient for the sensitive credential validation operation). The vulnerability description explicitly states the permission check was 'added but for the wrong permission' in earlier partial fixes. This method handles credential validation against external URLs, making it the attack vector for credential capture when combined with the weak CREATE permission check.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n in*orr**t p*rmission ****k in J*nkins X**i*L**s XL **ploy Plu*in **.*.* *n* **rli*r *llows *tt**k*rs wit* **n*ri* *r**t* p*rmission to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*in** t*rou** *not**r m*t*o*, *

Reasoning

T** k*y vuln*r**ility st*mm** *rom *r***nti*l.j*v*'s *oV*li**t**r***nti*l m*t*o* w**r* t** p*rmission ****k w*s improp*rly impl*m*nt**. T** p*t** s*ows t*is m*t*o* initi*lly l**k** *ny p*rmission ****k, t**n ***** * ****k *or P*rmission.*R**T* (insu*