CVE-2021-21644

Name of the Vulnerable Software and Affected Versions Jenkins Config File Provider Plugin versions 3.7.0 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID. This issue arises because the plugin does not require POST requests for a specific HTTP endpoint. The vulnerability is a result of an incomplete fix of a previous security issue.

Recommendations For Jenkins Config File Provider Plugin versions 3.7.0 and earlier, update to version 3.7.1 or later, which requires POST requests for the affected HTTP endpoint, thereby mitigating the CSRF vulnerability.