VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 18, 2021· Updated Aug 3, 2024

CVE-2021-21625

CVE-2021-21625

Description

Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier lacks a permission check, allowing users with Overall/Read to enumerate AWS credential IDs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier lacks a permission check, allowing users with Overall/Read to enumerate AWS credential IDs.

Vulnerability

Overview CVE-2021-21625 is a missing permission check in the CloudBees AWS Credentials Plugin for Jenkins, affecting versions 1.28 and earlier. The plugin's helper method used for HTTP endpoints does not verify that the requesting user has the necessary permissions, allowing unauthorized access to credential IDs [1].

Exploitation

An attacker with Overall/Read permission (or potentially Item/Read depending on context) can send a crafted request to a vulnerable endpoint to enumerate the IDs of stored AWS credentials. No additional authentication or network access is required beyond being an authenticated Jenkins user with the mentioned permission [1][3].

Impact

Successful exploitation leaks the credential IDs, which are unique identifiers for AWS credentials stored in Jenkins. While this does not directly expose the secret keys, it provides attackers with information that can be leveraged in subsequent attacks, such as attempting to use the credentials if they can also guess or obtain the actual secret [1].

Mitigation

The Jenkins security advisory recommends upgrading to CloudBees AWS Credentials Plugin version 1.28.1 or later [3]. The fix introduces a permission check requiring either Item.CONFIGURE on the context or Jenkins.ADMINISTER, as shown in the commit [4]. No workarounds are available.

References
  1. NVD - CVE-2021-21625
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. [SECURITY-2032] · jenkinsci/aws-credentials-plugin@dd477a0

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:aws-credentialsMaven
< 1.28.11.28.1

Affected products

2

Patches

1
dd477a071bd6

[SECURITY-2032]

https://github.com/jenkinsci/aws-credentials-pluginVincent LatombeMar 12, 2021via ghsa
commit
1 file changed · +21 8
  • src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsHelper.java+21 8 modified
    @@ -2,10 +2,13 @@
 
 import com.cloudbees.plugins.credentials.CredentialsMatchers;
 import com.cloudbees.plugins.credentials.CredentialsProvider;
+import com.cloudbees.plugins.credentials.common.AbstractIdCredentialsListBoxModel;
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
+import hudson.model.Item;
 import hudson.model.ItemGroup;
 import hudson.security.ACL;
 import hudson.util.ListBoxModel;
+import jenkins.model.Jenkins;
 import org.apache.commons.lang.StringUtils;
 
 import javax.annotation.CheckForNull;
@@ -30,14 +33,24 @@ public static AmazonWebServicesCredentials getCredentials(@Nullable String crede
                 CredentialsMatchers.withId(credentialsId));
     }
 
+    private static boolean hasPermission(ItemGroup context) {
+        if (context instanceof Item) {
+            return ((Item) context).hasPermission(Item.CONFIGURE);
+        } else {
+            return Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER);
+        }
+    }
+
     public static ListBoxModel doFillCredentialsIdItems(ItemGroup context) {
-        return new StandardListBoxModel()
-                .withEmptySelection()
-                .withMatching(
-                        CredentialsMatchers.always(),
-                        CredentialsProvider.lookupCredentials(AmazonWebServicesCredentials.class,
-                                context,
-                                ACL.SYSTEM,
-                                Collections.EMPTY_LIST));
+        AbstractIdCredentialsListBoxModel result = new StandardListBoxModel().includeEmptyValue();
+        if (hasPermission(context)) {
+            result = result.withMatching(
+                            CredentialsMatchers.always(),
+                            CredentialsProvider.lookupCredentials(AmazonWebServicesCredentials.class,
+                                    context,
+                                    ACL.SYSTEM,
+                                    Collections.EMPTY_LIST));
+        }
+        return result;
     }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1