CVE-2021-21665
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins XebiaLabs XL Deploy Plugin ≤10.0.1 lets attackers with Overall/Read capture credentials by connecting to attacker-specified URL.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in Jenkins XebiaLabs XL Deploy Plugin (deployit-plugin) version 10.0.1 and earlier. The plugin does not require a CSRF token for a form validation endpoint, allowing attackers to perform unauthorized actions on behalf of an authenticated Jenkins user [1][2].
Exploitation
An attacker must first obtain credentials IDs (e.g., via CVE-2021-21662, which requires Overall/Read permission) [2]. With a crafted CSRF request, the attacker can trigger the plugin to connect to an attacker-specified URL using those credentials IDs, causing Jenkins to send the stored credentials to the attacker's server [1][2][3].
Impact
Successful exploitation allows the attacker to capture username/password credentials stored in Jenkins, leading to credential disclosure and potential further compromise [2].
Mitigation
The vulnerability is fixed in XebiaLabs XL Deploy Plugin version 10.0.2, released on June 10, 2021 [2][3]. Users should upgrade immediately. No workaround is available for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.xebialabs.deployit.ci:deployit-pluginMaven | < 10.0.2 | 10.0.2 |
Affected products
3- Range: <=10.0.1
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-38pm-74xc-phcwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21665ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/06/10/14ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2021-06-10/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2021-06-10Jenkins Security Advisories · Jun 10, 2021