Xebialabs · Jenkins Xebialabs Xl Deploy Plugin · CVE-2021-21662
**Name of the Vulnerable Software and Affected Versions**
Jenkins XebiaLabs XL Deploy Plugin versions 10.0.1 and earlier
**Description**
A missing permission check in the plugin allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. This issue is related to a method implementing form validation that does not perform a permission check, enabling attackers to obtain credentials IDs that can be used as part of an attack to capture the credentials using another vulnerability.
**Recommendations**
For Jenkins XebiaLabs XL Deploy Plugin versions 10.0.1 and earlier, consider updating to a version that includes the necessary permission checks to prevent credentials ID enumeration. As a temporary workaround, restrict access to the plugin's form validation method to minimize the risk of exploitation.