CVE-2021-21664

Name of the Vulnerable Software and Affected Versions Jenkins XebiaLabs XL Deploy Plugin versions 10.0.1 and earlier

Description An incorrect permission check in the Jenkins XebiaLabs XL Deploy Plugin allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins. The permission check was partially fixed in XebiaLabs XL Deploy Plugin 7.5.9, but it still allows some non-admin users to access the form validation method.

Recommendations For Jenkins XebiaLabs XL Deploy Plugin versions 10.0.1 and earlier, update to a version that includes the complete fix for the incorrect permission check. For versions prior to 7.5.9, consider restricting access to the form validation method to minimize the risk of exploitation. As a temporary workaround, consider disabling the Generic Create permission for non-admin users until a patch is available.