CVE-2021-21632

Name of the Vulnerable Software and Affected Versions Jenkins OWASP Dependency-Track Plugin versions 3.1.0 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins. The issue affects several HTTP endpoints, where attackers can use attacker-specified credentials IDs to capture "Secret text" credentials. If no credentials ID is specified, the globally configured credential is used, if set up, and can be captured.

Recommendations For Jenkins OWASP Dependency-Track Plugin versions 3.1.0 and earlier, update to version 3.1.1 or later, which requires appropriate permissions for the affected HTTP endpoints. As a temporary workaround, consider restricting access to the affected HTTP endpoints to minimize the risk of exploitation.