CVE-2021-21662

Name of the Vulnerable Software and Affected Versions Jenkins XebiaLabs XL Deploy Plugin versions 10.0.1 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. This issue is related to a method implementing form validation that does not perform a permission check, enabling attackers to obtain credentials IDs that can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Jenkins XebiaLabs XL Deploy Plugin versions 10.0.1 and earlier, consider updating to a version that includes the necessary permission checks to prevent credentials ID enumeration. As a temporary workaround, restrict access to the plugin's form validation method to minimize the risk of exploitation.