CVE-2021-21652

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in Jenkins Xray - Test Management for Jira Plugin version 2.4.0 and earlier. The plugin does not properly validate requests, allowing an attacker to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method. [1][2]

Exploitation

To exploit this vulnerability, an attacker must first obtain valid credentials IDs from Jenkins (e.g., via another vulnerability). Then, the attacker tricks a Jenkins user with appropriate permissions into sending a crafted request, which triggers a connection to an attacker-controlled URL using those credentials IDs. The user interaction is required because CSRF relies on the victim's browser session. [2]

Impact

Successful exploitation allows the attacker to capture credentials stored in Jenkins by having the plugin connect to an attacker-specified URL with the obtained credentials IDs. This leads to information disclosure of sensitive credentials, potentially compromising further systems. [1][2]

Mitigation

As of the provided references, no fixed version is explicitly mentioned. Users should monitor the Jenkins Xray plugin page for updates. The vulnerability was reported in the Jenkins Security Advisory dated 2021-05-11. Until a fix is released, users may consider disabling the plugin if not in use, or applying strict network controls to limit outbound connections from Jenkins. [1]