Moderate severityNVD Advisory· Published Jun 10, 2021· Updated Aug 3, 2024

CVE-2021-21664

Description

An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins XebiaLabs XL Deploy Plugin ≤10.0.1 lacks a permission check, letting attackers with Generic Create access capture stored credentials via crafted requests.

Vulnerability

Jenkins XebiaLabs XL Deploy Plugin versions 10.0.1 and earlier contain an incorrect permission check in a method implementing form validation. This allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs (obtained through another method, such as CVE-2021-21662) and capture Username/password credentials stored in Jenkins. The vulnerability is tracked as SECURITY-1982 (CVE-2021-21664) [1][2].

Exploitation

An attacker must first obtain valid credentials IDs (e.g., via CVE-2021-21662 which allows enumeration by attackers with Overall/Read) and have Generic Create permission in Jenkins. The attacker then crafts a form validation request to the affected endpoint, providing the attacker-specified URL and the stolen credentials ID. The plugin, due to the incorrect permission check, forwards the request and returns the captured credentials to the attacker [1][2][3].

Impact

Successful exploitation allows an attacker to capture Username/password credentials stored in Jenkins, leading to unauthorized disclosure of sensitive credential data. This compromises the confidentiality of stored credentials, which can be used to access other systems or escalate privileges [1][2][3].

Mitigation

XebiaLabs XL Deploy Plugin version 10.0.2, released on June 10, 2021, fixes this issue by adding proper permission checks. Users should upgrade to version 10.0.2 or later. No workaround is provided; the plugin should be updated immediately [2][3][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.xebialabs.deployit.ci:deployit-pluginMaven	< 10.0.2	10.0.2

Affected products

Jenkins Project/XebiaLabs XL Deploy Pluginllm-fuzzy
Range: <=10.0.1
ghsa-coords
pkg:maven/com.xebialabs.deployit.ci/deployit-plugin
Range: < 10.0.2
Jenkins Project/DeployHub Plugincpe-rescue
Range: 7.5.9

Patches

79ae204d2ee6

ENG-2021 Addresses SECURITY-1981 and SECURITY-1982. Permission check (#68)

https://github.com/jenkinsci/xldeploy-pluginmeenachauhanJan 15, 2021via ghsa

commit

3 files changed · +12 −2

repo/pom.xml+8 −1 modified

@@ -9,10 +9,17 @@
 	<version>5.0.0-SNAPSHOT</version>
 
 	<properties>
-		<version.xl-platform>2015.2.0-RC-1</version.xl-platform>
+		<version.xl-platform>2019.3.8</version.xl-platform>
 		<version.overthere>4.0.0</version.overthere>
 	</properties>
 
+	<repositories>
+		<repository>
+			<id>xebialabs-maven2</id>
+			<url>https://dist.xebialabs.com/public/maven2</url>
+		</repository>
+	</repositories>
+
 	<dependencies>
 		<dependency>
 			<groupId>com.xebialabs.deployit</groupId>

src/main/java/com/xebialabs/deployit/ci/Credential.java+2 −0 modified

@@ -54,6 +54,7 @@
 import hudson.model.ItemGroup;
 import hudson.model.Project;
 import hudson.security.ACL;
+import hudson.security.Permission;
 import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
 import hudson.util.Secret;
@@ -319,6 +320,7 @@ public FormValidation doValidateUserNamePassword(@QueryParameter String deployit
         }
 
         public FormValidation doValidateCredential(@QueryParameter String deployitServerUrl, @QueryParameter String deployitClientProxyUrl, @QueryParameter String secondaryServerUrl, @QueryParameter String secondaryProxyUrl, @QueryParameter String credentialsId) throws IOException {
+            Jenkins.getInstance().checkPermission(Permission.CREATE);
             try {
 
                 String serverUrl = Strings.isNullOrEmpty(secondaryServerUrl) ? deployitServerUrl : secondaryServerUrl;

src/main/java/com/xebialabs/deployit/ci/DeployitNotifier.java+2 −1 modified

@@ -312,6 +312,7 @@ public ListBoxModel doFillCredentialItems() {
         }
 
         public ListBoxModel doFillCredentialsIdItems(@AncestorInPath ItemGroup context) {
+          Jenkins.getInstance().checkPermission(Item.CONFIGURE);
             List<StandardUsernamePasswordCredentials> creds = lookupCredentials(StandardUsernamePasswordCredentials.class, context,
                     ACL.SYSTEM,
                     HTTP_SCHEME, HTTPS_SCHEME);
@@ -415,4 +416,4 @@ public String expandValue(final String value, final Job project) {
             return resolvedValue;
         }
     }
-}
\ No newline at end of file
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jm4g-8rvq-v87jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-21664ghsaADVISORY
www.openwall.com/lists/oss-security/2021/06/10/14ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/xldeploy-plugin/commit/79ae204d2ee6cd94badf4c24a150cee13a3bde44ghsaWEB
www.jenkins.io/security/advisory/2021-06-10/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2021-06-10
Jenkins Security Advisories · Jun 10, 2021

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000