CVE-2021-21663

Name of the Vulnerable Software and Affected Versions Jenkins XebiaLabs XL Deploy Plugin versions 7.5.8 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing Username/password credentials stored in Jenkins.

Recommendations For Jenkins XebiaLabs XL Deploy Plugin versions 7.5.8 and earlier, consider disabling the plugin until a patch is available to prevent attackers from capturing credentials. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin to store or manage sensitive credentials until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.