CVE-2021-21637

Name of the Vulnerable Software and Affected Versions Jenkins Team Foundation Server Plugin versions 5.157.1 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Recommendations For Jenkins Team Foundation Server Plugin versions 5.157.1 and earlier, as a temporary workaround, consider restricting access to the plugin until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.