CVE-2021-21653
Description
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier lacks a permission check, allowing attackers with Overall/Read to enumerate credential IDs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier lacks a permission check, allowing attackers with Overall/Read to enumerate credential IDs.
Vulnerability
The Jenkins Xray - Test Management for Jira Plugin versions 2.4.0 and earlier contain a missing permission check in an HTTP endpoint. This allows any user with Overall/Read permission (the default for authenticated users) to access the endpoint and enumerate credential IDs stored in Jenkins. The vulnerability is present in all versions up to and including 2.4.0 [1][2].
Exploitation
An attacker needs only Overall/Read permission, which is typically granted to all authenticated Jenkins users. No additional authentication, user interaction, or special privileges are required. The attacker can send a crafted HTTP request to the vulnerable endpoint to retrieve a list of credential IDs [1][2].
Impact
Successful exploitation results in the disclosure of credential IDs. While the actual credential secrets (e.g., passwords, tokens) are not exposed, the IDs can be used to identify specific credentials for targeted attacks. This information disclosure could aid in further exploitation of the Jenkins instance [1][2].
Mitigation
Jenkins released a fix in version 2.4.1 of the Xray - Test Management for Jira Plugin. Users should upgrade to 2.4.1 or later. No workarounds are documented. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:xray-connectorMaven | < 2.4.1 | 2.4.1 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-5557-j87h-cvf4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21653ghsaADVISORY
- www.jenkins.io/security/advisory/2021-05-11/mitrex_refsource_CONFIRM
- www.jenkins.io/security/advisory/2021-05-11/ghsaWEB
News mentions
1- Jenkins Security Advisory 2021-05-11Jenkins Security Advisories · May 11, 2021