CVE-2021-21645

Name of the Vulnerable Software and Affected Versions Jenkins Config File Provider Plugin versions 3.7.0 and earlier

Description The issue concerns a lack of permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate configuration file IDs. This can be exploited by attackers to gain unauthorized access to sensitive information.

Recommendations For Jenkins Config File Provider Plugin versions 3.7.0 and earlier, update to version 3.7.1 or later, which requires appropriate permissions for the enumeration of configuration file IDs. As a temporary workaround, consider restricting access to the affected HTTP endpoints until a patch is available.