CVE-2021-21636
Description
Missing permission check in Jenkins Team Foundation Server Plugin allows attackers with Overall/Read to enumerate credentials IDs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Team Foundation Server Plugin allows attackers with Overall/Read to enumerate credentials IDs.
Vulnerability
Description
A missing permission check in the Jenkins Team Foundation Server Plugin (versions 5.157.1 and earlier) allows attackers with Overall/Read permission to enumerate credential IDs stored in Jenkins [1][2]. The plugin fails to properly authorize access to certain API endpoints, exposing internal identifiers without requiring more privileged permissions.
Exploitation
An attacker needs only Overall/Read permission, which is a low-level privilege typically granted to many users. No further authentication or network position is required beyond Jenkins access. The enumeration can be performed remotely via crafted requests to the affected plugin endpoints [3].
Impact
By enumerating credential IDs, an attacker can identify valid credential identifiers, which may be used in subsequent attacks to reference specific credentials. While the actual secrets are not exposed directly, knowing the IDs enables targeted attacks that could exploit other vulnerabilities or social engineering [4].
Mitigation
As of the advisory date (March 30, 2021), the Jenkins security team acknowledged the issue but did not release a fix. Users are advised to restrict Overall/Read permission to trusted users only and monitor for plugin updates [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:tfsMaven | <= 5.157.1 | — |
Affected products
2- Jenkins project/Jenkins Team Foundation Server Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-vg28-9f43-gmh5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21636ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/03/30/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2021-03-30/mitrex_refsource_CONFIRM
- www.jenkins.io/security/advisory/2021-03-30/ghsaWEB
News mentions
1- Jenkins Security Advisory 2021-03-30Jenkins Security Advisories · Mar 30, 2021