CVE-2021-21661

Vulnerability

Jenkins Kubernetes CLI Plugin versions 1.10.0 and earlier do not perform permission checks in several HTTP endpoints [1]. This missing authorization allows any attacker who has at least Overall/Read permission (a basic permission granted to most authenticated Jenkins users) to access these endpoints [2]. The affected plugin is kubernetes-cli [2].

Exploitation

An attacker with Overall/Read permission in Jenkins can send HTTP requests to the unprotected endpoints exposed by the Kubernetes CLI Plugin [1][2]. No additional authentication or privileges are required beyond that basic permission [2]. The attacker does not need any special network position beyond being able to reach the Jenkins instance and having a valid session with Overall/Read access.

Impact

A successful exploit allows the attacker to enumerate the credentials IDs of all credentials stored in Jenkins [1][2]. Credentials IDs are identifiers that can be used in subsequent attacks, such as exploiting another vulnerability to capture the credential values themselves [2]. The impact is limited to information disclosure of credentials IDs; however, this information can facilitate more severe attacks.

Mitigation

The vulnerability is fixed in Kubernetes CLI Plugin version 1.10.1, released on June 10, 2021 [2][3]. Users should upgrade to version 1.10.1 or later [3]. No workaround is available in the plugin itself; the only mitigation is to ensure that only trusted users have Overall/Read permission until the upgrade is applied.