VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 10, 2021· Updated Aug 3, 2024

CVE-2021-21662

CVE-2021-21662

Description

A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier lacks a permission check, allowing attackers with Overall/Read to enumerate credential IDs.

Vulnerability

Jenkins XebiaLabs XL Deploy Plugin (deployit-plugin) versions 10.0.1 and earlier do not perform a permission check in a method that implements form validation. This missing check allows any attacker with the Overall/Read permission to access an HTTP endpoint that enumerates credential IDs of credentials stored in Jenkins. The affected method does not verify that the user has the required permission (e.g., Item.CONFIGURE or Permission.CREATE) before returning a list of credential IDs.

Exploitation

An attacker must have at minimum the Overall/Read permission in Jenkins, which is typically granted to anonymous or low-privilege users. The attacker can then send a crafted HTTP request to the vulnerable form validation endpoint without further authentication or interaction. The advisory from Jenkins [1] confirms that the method does not perform any permission check, so no additional steps or race conditions are needed.

Impact

Successful exploitation allows the attacker to enumerate credential IDs of all credentials stored in Jenkins. While this does not directly disclose the credential secrets, the enumerated IDs can be used as part of a further attack to capture the actual credentials using another vulnerability (such as missing permission checks in other plugin endpoints that accept credential IDs). The overall CIA impact is limited to information disclosure of credential identifiers, which could facilitate lateral movement or privilege escalation if combined with other flaws [1].

Mitigation

The fix was released in XebiaLabs XL Deploy Plugin version 10.0.2 on June 10, 2021 [2]. The commit 79ae204d2ee6cd94badf4c24a150cee13a3bde44 [4] adds explicit permission checks (e.g., Jenkins.getInstance().checkPermission(Permission.CREATE) and Jenkins.getInstance().checkPermission(Item.CONFIGURE)) to the affected form validation methods. Users should upgrade to version 10.0.2 or later immediately. There is no known workaround; disabling the plugin is the only alternative if an upgrade cannot be performed immediately.

References
  1. Jenkins Security Advisory 2021-06-10
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. ENG-2021 Addresses SECURITY-1981 and SECURITY-1982. Permission check … · jenkinsci/xldeploy-plugin@79ae204

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.xebialabs.deployit.ci:deployit-pluginMaven
< 10.0.210.0.2

Affected products

3

Patches

1
79ae204d2ee6

ENG-2021 Addresses SECURITY-1981 and SECURITY-1982. Permission check (#68)

https://github.com/jenkinsci/xldeploy-pluginmeenachauhanJan 15, 2021via ghsa
commit
3 files changed · +12 2
  • repo/pom.xml+8 1 modified
    @@ -9,10 +9,17 @@
 	<version>5.0.0-SNAPSHOT</version>
 
 	<properties>
-		<version.xl-platform>2015.2.0-RC-1</version.xl-platform>
+		<version.xl-platform>2019.3.8</version.xl-platform>
 		<version.overthere>4.0.0</version.overthere>
 	</properties>
 
+	<repositories>
+		<repository>
+			<id>xebialabs-maven2</id>
+			<url>https://dist.xebialabs.com/public/maven2</url>
+		</repository>
+	</repositories>
+
 	<dependencies>
 		<dependency>
 			<groupId>com.xebialabs.deployit</groupId>
  • src/main/java/com/xebialabs/deployit/ci/Credential.java+2 0 modified
    @@ -54,6 +54,7 @@
 import hudson.model.ItemGroup;
 import hudson.model.Project;
 import hudson.security.ACL;
+import hudson.security.Permission;
 import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
 import hudson.util.Secret;
@@ -319,6 +320,7 @@ public FormValidation doValidateUserNamePassword(@QueryParameter String deployit
         }
 
         public FormValidation doValidateCredential(@QueryParameter String deployitServerUrl, @QueryParameter String deployitClientProxyUrl, @QueryParameter String secondaryServerUrl, @QueryParameter String secondaryProxyUrl, @QueryParameter String credentialsId) throws IOException {
+            Jenkins.getInstance().checkPermission(Permission.CREATE);
             try {
 
                 String serverUrl = Strings.isNullOrEmpty(secondaryServerUrl) ? deployitServerUrl : secondaryServerUrl;
  • src/main/java/com/xebialabs/deployit/ci/DeployitNotifier.java+2 1 modified
    @@ -312,6 +312,7 @@ public ListBoxModel doFillCredentialItems() {
         }
 
         public ListBoxModel doFillCredentialsIdItems(@AncestorInPath ItemGroup context) {
+          Jenkins.getInstance().checkPermission(Item.CONFIGURE);
             List<StandardUsernamePasswordCredentials> creds = lookupCredentials(StandardUsernamePasswordCredentials.class, context,
                     ACL.SYSTEM,
                     HTTP_SCHEME, HTTPS_SCHEME);
@@ -415,4 +416,4 @@ public String expandValue(final String value, final Job project) {
             return resolvedValue;
         }
     }
-}
\ No newline at end of file
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1