CVE-2021-21663

Vulnerability

A missing permission check in the Jenkins XebiaLabs XL Deploy Plugin versions 7.5.8 and earlier (and up to 10.0.1 per the advisory [2]) allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method [1]. The vulnerability exists in a method implementing form validation that does not perform the required permission checks [2].

Exploitation

An attacker must have Overall/Read permission on the Jenkins instance and must first obtain valid credentials IDs (e.g., via CVE-2021-21662, which enumerates credentials IDs [2]). The attacker then crafts a request to the vulnerable endpoint, supplying a URL under their control and a previously obtained credentials ID. The plugin will connect to that URL using the specified credentials, effectively sending the stored username and password to the attacker [1][2].

Impact

Successful exploitation allows the attacker to capture Username/password credentials stored in Jenkins [1]. This can lead to further compromise of Jenkins and any systems accessible with those credentials. The vulnerability is rated High severity (CVSS 8.8) [2].

Mitigation

The vulnerability is fixed in XebiaLabs XL Deploy Plugin version 10.0.2, released on June 10, 2021 [2][3]. Users should upgrade to 10.0.2 or later immediately. No workarounds are documented. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.