CVE-2021-21633

Name of the Vulnerable Software and Affected Versions Jenkins OWASP Dependency-Track Plugin versions 3.1.0 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins. The issue arises from the lack of permission checks in several HTTP endpoints, enabling attackers with Overall/Read permission to exploit the vulnerability. Attackers can obtain credentials IDs through another method and use them to capture "Secret text" credentials. If no credentials ID is specified, the globally configured credential is used, if set up. The vulnerability is exacerbated by the fact that the affected HTTP endpoints do not require POST requests.

Recommendations For Jenkins OWASP Dependency-Track Plugin versions 3.1.0 and earlier, update to version 3.1.1 or later, which requires POST requests and appropriate permissions for the affected HTTP endpoints. As a temporary workaround, consider restricting access to the affected HTTP endpoints to minimize the risk of exploitation. Additionally, restrict the use of globally configured credentials to reduce the potential impact of the vulnerability.