CVE-2021-21638

Vulnerability

Overview

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Team Foundation Server Plugin (tfs-plugin) versions 5.157.1 and earlier. The plugin fails to require POST requests or validate the origin of HTTP requests for certain endpoints, allowing an attacker to trick a Jenkins administrator or user with sufficient permissions into visiting a malicious page that triggers an unintended action on the Jenkins server.

Exploitation

Details

An attacker can exploit this CSRF flaw to make Jenkins connect to an attacker-specified URL using credentials IDs obtained through another method (e.g., separate information disclosure). By crafting a malicious web page or HTML email, the attacker can force an authenticated Jenkins user's browser to send a forged request. The plugin's insufficient validation enables this action without proper CSRF tokens or HTTP method checks [1][2].

Impact

If successfully exploited, the attacker can capture credentials stored in Jenkins by making the server connect to a URL under their control using attacker-chosen credential IDs. This effectively exfiltrates Jenkins-managed secrets (e.g., usernames, passwords, tokens) that were previously obtained through other means [2][3]. The vulnerability is assigned a CVSS v3.1 base score of 8.8 (High) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity, and availability impact [3].

Mitigation

The Jenkins security advisory [2] and the oss-security announcement [4] note that as of the advisory date (2021-03-30), no fix was available for this vulnerability. Users are advised to apply any future plugin updates, monitor for changes, or consider removing the plugin if not needed. The issue was tracked under SECURITY-2283 (2) in Jenkins' issue tracker [2].