VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 8, 2021· Updated Aug 3, 2024

CVE-2021-22513

CVE-2021-22513

Description

The Micro Focus Application Automation Tools Plugin for Jenkins versions 6.7 and earlier lack permission checks, allowing unauthenticated access to sensitive endpoints.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Micro Focus Application Automation Tools Plugin for Jenkins versions 6.7 and earlier lack permission checks, allowing unauthenticated access to sensitive endpoints.

Vulnerability

The Micro Focus Application Automation Tools Plugin (now OpenText Application Automation Tools Plugin) for Jenkins, versions 6.7 and earlier, contains a missing authorization vulnerability [1]. The plugin fails to perform permission checks on several HTTP endpoints exposed via the doDynamic method in AlmServerSettingsGlobalConfiguration.java. Affected endpoints include those handling status requests, re-enqueue events, clearing job list cache, clearing Octane roots cache, and retrieving Octane roots cache [2]. No authentication or Jenkins permission is required to access these endpoints.

Exploitation

An attacker with network access to the Jenkins instance can send crafted HTTP requests to the vulnerable plugin endpoints. The commit fix shows that the plugin previously allowed access without any permission check; the fix adds Jenkins.get().checkPermission(Jenkins.READ) or Jenkins.get().checkPermission(Jenkins.ADMINISTER) calls depending on the endpoint [2]. This means an unauthenticated attacker or a user with insufficient privileges could invoke these endpoints directly without authorization.

Impact

Successful exploitation may lead to unauthorized disclosure of sensitive information (e.g., job list cache contents, Octane roots cache) or unauthorized modification of internal plugin state (e.g., clearing caches, re-enqueuing events). The severity is considered medium (CVSS 6.5) by the Jenkins security advisory [3]. No remote code execution or full system compromise is implied, but the lack of authorization could undermine the integrity and confidentiality of Jenkins build data.

Mitigation

The vulnerability is fixed in plugin version 6.8, released on April 7, 2021 [3]. Users should upgrade to version 6.8 or later. The Jenkins Security Advisory for 2021-04-07 [3] lists this issue as SECURITY-2132. No workaround is provided for versions 6.7 and earlier; upgrading is the only mitigation. The plugin is currently maintained under the OpenText Application Automation Tools name [4].

References
  1. NVD - CVE-2021-22513
  2. [SECURITY-2132] · jenkinsci/hpe-application-automation-tools-plugin@497a143
  3. Jenkins Security Advisory 2021-04-07
  4. GitHub - jenkinsci/hpe-application-automation-tools-plugin: Jenkins plugin to run OpenText Application Automation Tools

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:hp-application-automation-tools-pluginMaven
< 7.2.3-beta7.2.3-beta

Affected products

2

Patches

1
497a143d9a95

[SECURITY-2132]

https://github.com/jenkinsci/hpe-application-automation-tools-pluginPaul-Adrian-TofanMar 30, 2021via ghsa
commit
5 files changed · +18 1
  • src/main/java/com/microfocus/application/automation/tools/octane/actions/PluginActions.java+5 0 modified
    @@ -35,6 +35,7 @@
 import com.microfocus.application.automation.tools.octane.configuration.ConfigurationService;
 import hudson.Extension;
 import hudson.model.RootAction;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.apache.http.entity.ContentType;
 import org.kohsuke.stapler.StaplerRequest;
@@ -84,19 +85,23 @@ public String getUrlName() {
 
     public void doDynamic(StaplerRequest req, StaplerResponse res) throws IOException {
 
+        Jenkins.get().checkPermission(Jenkins.READ);
         res.setHeader(CONTENT_TYPE, ContentType.TEXT_PLAIN.getMimeType());
         res.setStatus(200);
         if (req.getRequestURI().toLowerCase().contains(STATUS_REQUEST)) {
             JSONObject result = getStatusResult(req.getParameterMap());
             res.setHeader(CONTENT_TYPE, ContentType.APPLICATION_JSON.getMimeType());
             res.getWriter().write(result.toString());
         } else if (req.getRequestURI().toLowerCase().contains(REENQUEUE_EVENT_REQUEST)) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             reEnqueueEvent(req.getParameterMap());
             res.getWriter().write("resent");
         } else if (req.getRequestURI().toLowerCase().contains(CLEAR_JOB_LIST_CACHE)) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             resetJobListCache();
             res.getWriter().write("done");
         } else if (req.getRequestURI().toLowerCase().contains(CLEAR_OCTANE_ROOTS_CACHE)) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             resetOctaneRootsCache();
             res.getWriter().write("done");
         } else if (req.getRequestURI().toLowerCase().contains(OCTANE_ROOTS_CACHE)) {
  • src/main/java/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration.java+4 0 modified
    @@ -37,12 +37,14 @@
 import hudson.XmlFile;
 import hudson.util.FormValidation;
 import jenkins.model.GlobalConfiguration;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONArray;
 import net.sf.json.JSONObject;
 import org.apache.commons.lang.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import java.io.IOException;
 import java.io.Serializable;
@@ -125,7 +127,9 @@ public boolean configure(StaplerRequest req, JSONObject formData) throws FormExc
         return super.configure(req, formData);
     }
 
+    @RequirePOST
     public FormValidation doCheckAlmServerUrl(@QueryParameter String value) {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         return checkQcServerURL(value, false);
     }
  • src/main/java/com/microfocus/application/automation/tools/settings/OctaneServerSettingsGlobalConfiguration.java+4 0 modified
    @@ -48,13 +48,15 @@
 import hudson.util.FormValidation;
 import hudson.util.Secret;
 import jenkins.model.GlobalConfiguration;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONArray;
 import net.sf.json.JSONObject;
 import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import java.io.Serializable;
 import java.util.*;
@@ -347,6 +349,7 @@ private void fireOnChanged(OctaneServerSettingsModel newConf, OctaneServerSettin
         }
     }
 
+    @RequirePOST
     @SuppressWarnings("unused")
     public FormValidation doTestConnection(StaplerRequest req,
                                            @QueryParameter("uiLocation") String uiLocation,
@@ -357,6 +360,7 @@ public FormValidation doTestConnection(StaplerRequest req,
                                            @QueryParameter("workspace2ImpersonatedUserConf") String workspace2ImpersonatedUserConf,
                                            @QueryParameter("parameters") String parameters
     ) {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         String myImpersonatedUser = StringUtils.trim(impersonatedUser);
         String myUsername = StringUtils.trim(username);
         OctaneUrlParser octaneUrlParser;
  • src/main/java/com/microfocus/application/automation/tools/settings/SvServerSettingsGlobalConfiguration.java+4 0 modified
    @@ -38,10 +38,12 @@
 import hudson.XmlFile;
 import hudson.util.FormValidation;
 import jenkins.model.GlobalConfiguration;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import java.io.Serializable;
 import java.net.MalformedURLException;
@@ -135,10 +137,12 @@ public FormValidation doCheckPassword(@QueryParameter String value, @QueryParame
         return FormValidation.ok();
     }
 
+    @RequirePOST
     @SuppressWarnings("unused")
     public FormValidation doTestConnection(@QueryParameter("url") final String url, @QueryParameter("username") final String username,
                                            @QueryParameter("password") final String password) {
         try {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             Credentials credentials = (!StringUtils.isBlank(username)) ? new Credentials(username, password) : null;
             ICommandExecutor commandExecutor = new CommandExecutorFactory().createCommandExecutor(new URL(url), credentials);
             ServerInfo serverInfo = commandExecutor.getClient().getServerInfo();
  • src/main/resources/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration/config.jelly+1 1 modified
    @@ -50,7 +50,7 @@
 			</f:entry>
 
 			<f:entry title="${%ALM server URL}" field="almServerUrl">
-				<f:textbox value="${inst.almServerUrl}" name="alm.almServerUrl" />
+				<f:textbox value="${inst.almServerUrl}" name="alm.almServerUrl" checkMethod="post" />
 			</f:entry>
 
             <f:entry>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1