PT-2021-14679 · Jenkins · Jenkins Team Foundation Server Plugin+1

Daniel Beck

Published

2021-03-30

Updated

2023-10-25

CVE-2021-21636

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Team Foundation Server Plugin versions 5.157.1 and earlier

Description A missing permission check in the Jenkins Team Foundation Server Plugin allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. This issue affects the plugin's HTTP endpoint, enabling attackers to obtain credentials IDs that can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Jenkins Team Foundation Server Plugin versions 5.157.1 and earlier, as a temporary workaround, consider restricting access to the affected HTTP endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2021-21636

GHSA-VG28-9F43-GMH5

Affected Products

Jenkins

Jenkins Team Foundation Server Plugin

PT-2021-14679 · Jenkins · Jenkins Team Foundation Server Plugin+1

CVE-2021-21636

Weakness Enumeration

Related Identifiers

Affected Products

References · 8