QwikSec

Security Database

CVE

CWE

Training

CVE-2021-21643

Published: Apr 21, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.

Vendor	Product	Versions
Jenkins project	Jenkins Config File Provider Plugin	affected `unspecified - <= 3.7.0`

References

https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2254

x_refsource_CONFIRM

[oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.