Moderate severityNVD Advisory· Published May 11, 2021· Updated Aug 3, 2024

CVE-2021-21651

Description

Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:s3Maven	>= 0.11.6, < 0.11.7	0.11.7
org.jenkins-ci.plugins:s3Maven	< 0.11.5.1	0.11.5.1

Affected products

Jenkins Project/Jenkins S3 Publisher Pluginv5
Range: unspecified

Patches

2e85e45c0e4e

[SECURITY-2201]

https://github.com/jenkinsci/s3-pluginAdrien LecharpentierMay 6, 2021via ghsa

commit

1 file changed · +11 −2

src/main/java/hudson/plugins/s3/S3BucketPublisher.java+11 −2 modified

@@ -15,6 +15,7 @@
 import hudson.model.AbstractProject;
 import hudson.model.Action;
 import hudson.model.Fingerprint;
+import hudson.model.Item;
 import hudson.model.Result;
 import hudson.model.Run;
 import hudson.model.TaskListener;
@@ -34,10 +35,10 @@
 import net.sf.json.JSONObject;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.Symbol;
+import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
-import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.annotation.Nonnull;
@@ -466,8 +467,16 @@ public boolean configure(StaplerRequest req, JSONObject json) {
         }
 
         @SuppressWarnings("unused")
-        public ListBoxModel doFillProfileNameItems() {
+        public ListBoxModel doFillProfileNameItems(@AncestorInPath Item item) {
             final ListBoxModel model = new ListBoxModel();
+            if (item != null && !item.hasPermission(Item.CONFIGURE)) {
+                return model;
+            }
+            if (item == null && !Jenkins.get().hasPermission(Item.CREATE)) {
+                // accessing from $JENKINS_URL/pipeline-syntax
+                return model;
+            }
+
             for (S3Profile profile : profiles) {
                 model.add(profile.getName(), profile.getName());
             }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w5rh-j4g3-jr29ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-21651ghsaADVISORY
github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2021/21xxx/CVE-2021-21651.jsonghsaWEB
github.com/jenkinsci/s3-plugin/commit/2e85e45c0e4e7a9231b0317392928e2d19e77368ghsaWEB
www.jenkins.io/security/advisory/2021-05-11/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000