CVE-2021-21643 — Vulnetix

CVE-2021-21643 PUBLISHED CVSS 4 MEDIUM

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.

EPSS 0.83% · 75.0th percentile

Risk Scores

CVSS 2.0

EPSS Score

0.83%

75.0th percentile

Affected Products

Vendor	Product	Versions
Maven	org.jenkins-ci.plugins:config-file-provider	0
Jenkins project	Jenkins Config File Provider Plugin	unspecified
jenkins	config_file_provider	0

Exploit Intelligence

https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2254 (circl)
[oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins (circl)

Timeline

Apr 21, 2021 CVE Published
Apr 27, 2021 EPSS Score
Jun 30, 2021 EPSS Score
Nov 2, 2021 EPSS Score
Jan 3, 2022 EPSS Score
Jan 6, 2022 EPSS Score
Mar 6, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 8, 2022 EPSS Score
Jul 9, 2022 EPSS Score
Nov 11, 2022 EPSS Score
Jan 13, 2023 EPSS Score

References

https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2254 url
[oss-security] 20210421 Multiple vulnerabilities in Jenkins plugins mailing-list
https://nvd.nist.gov/vuln/detail/CVE-2021-21643 advisory
https://github.com/jenkinsci/config-file-provider-plugin/commit/d615e3278358b033f5e8d0d2e3f38f467b0e29f2 url
https://github.com/jenkinsci/config-file-provider-plugin package

Open in Interactive Console →