CVE-2021-21643: Incorrect Authorization

May 24, 2022 (updated December 13, 2022)

Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.

References

www.openwall.com/lists/oss-security/2021/04/21/2
github.com/advisories/GHSA-3m3f-2323-64m7
nvd.nist.gov/vuln/detail/CVE-2021-21643
www.jenkins.io/security/advisory/2021-04-21/

Detect and mitigate CVE-2021-21643 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →