6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21664

GHSA ID

GHSA-jm4g-8rvq-v87j

EPSS Score

0.14381%

CWE

CWE-863

Published

5/24/2022

Updated

12/21/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21664

CVE-2021-21664: Incorrect permission check in XebiaLabs XL Deploy Plugin allows capturing credentials

An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

The permission check was partially fixed in XebiaLabs XL Deploy Plugin 7.5.9: A permission check was added, but for the wrong permission, still allowing some non-admin users to access the form validation method.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21664

GHSA ID

GHSA-jm4g-8rvq-v87j

EPSS Score

0.14381%

CWE

CWE-863

Published

5/24/2022

Updated

12/21/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.xebialabs.deployit.ci:deployit-plugin	maven	<= 10.0.1	10.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The key vulnerability stemmed from Credential.java's doValidateCredential method where the permission check was improperly implemented. The patch shows this method initially lacked any permission check, then added a check for Permission.CREATE (insufficient for the sensitive credential validation operation). The vulnerability description explicitly states the permission check was 'added but for the wrong permission' in earlier partial fixes. This method handles credential validation against external URLs, making it the attack vector for credential capture when combined with the weak CREATE permission check.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n in*orr**t p*rmission ****k in J*nkins X**i*L**s XL **ploy Plu*in **.*.* *n* **rli*r *llows *tt**k*rs wit* **n*ri* *r**t* p*rmission to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*in** t*rou** *not**r m*t*o*, *

Reasoning

T** k*y vuln*r**ility st*mm** *rom *r***nti*l.j*v*'s *oV*li**t**r***nti*l m*t*o* w**r* t** p*rmission ****k w*s improp*rly impl*m*nt**. T** p*t** s*ows t*is m*t*o* initi*lly l**k** *ny p*rmission ****k, t**n ***** * ****k *or P*rmission.*R**T* (insu*

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-21664: Incorrect permission check in XebiaLabs XL Deploy Plugin allows capturing credentials

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI