CVE-2021-21637
Description
Jenkins Team Foundation Server Plugin 5.157.1 and earlier has a missing permission check, allowing attackers with Overall/Read to capture credentials via attacker-controlled URL and credentials IDs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Team Foundation Server Plugin 5.157.1 and earlier has a missing permission check, allowing attackers with Overall/Read to capture credentials via attacker-controlled URL and credentials IDs.
The Jenkins Team Foundation Server Plugin versions 5.157.1 and earlier contain a missing permission check in an HTTP endpoint. This flaw allows an attacker with Overall/Read permission to trigger a connection to an attacker-specified URL using attacker-specified credentials IDs [2][3].
To exploit this vulnerability, the attacker must have Overall/Read permission, which is a low-privilege permission. Additionally, the attacker needs to obtain valid credentials IDs through other means, such as another vulnerability or exposure. The attacker then crafts a request to the affected endpoint to connect to an external URL under their control, supplying the stolen credentials IDs [2].
Successful exploitation results in the attacker capturing the credentials stored in Jenkins as they are sent to the attacker-controlled URL. This can lead to credential theft and potential compromise of Jenkins and connected systems [3].
At the time of the security advisory (2021-03-30), no fix was available for this vulnerability. Users were advised to restrict Overall/Read permission or apply other mitigations [2]. Later plugin versions may address this issue.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:tfsMaven | <= 5.157.1 | — |
Affected products
2- Jenkins project/Jenkins Team Foundation Server Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-6364-jx4h-7564ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21637ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/03/30/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2021-03-30/mitrex_refsource_CONFIRM
- www.jenkins.io/security/advisory/2021-03-30/ghsaWEB
News mentions
1- Jenkins Security Advisory 2021-03-30Jenkins Security Advisories · Mar 30, 2021