CVE-2021-21625

Name of the Vulnerable Software and Affected Versions Jenkins CloudBees AWS Credentials Plugin versions 1.28 and earlier

Description The issue allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins under certain circumstances. This can occur when specific plugins are installed, such as the Amazon Elastic Container Service (ECS) / Fargate, AWS Parameter Store Build Wrapper, or AWS SAM plugins. The enumerated credentials IDs can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Jenkins CloudBees AWS Credentials Plugin versions 1.28 and earlier, update to version 1.28.1 or later, which performs permission checks in the helper method for HTTP endpoints. As a temporary workaround, consider restricting access to the helper method for HTTP endpoints until the update can be applied. Additionally, review the installation of plugins that may use this helper method without performing a permission check themselves, such as the Amazon Elastic Container Service (ECS) / Fargate, AWS Parameter Store Build Wrapper, or AWS SAM plugins, and ensure they are updated or configured to mitigate the risk.