CVE-2021-21664 – com.xebialabs.deployit.ci:deployit-plugin

Package

Manager: maven
Name: com.xebialabs.deployit.ci:deployit-plugin
Vulnerable Version: >=0 <10.0.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00047 pctl0.14107

Details

Incorrect permission check in XebiaLabs XL Deploy Plugin allows capturing credentials An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins. The permission check was partially fixed in XebiaLabs XL Deploy Plugin 7.5.9: A permission check was added, but for the wrong permission, still allowing some non-admin users to access the form validation method.

Metadata

Created: 2022-05-24T19:04:53Z
Modified: 2023-12-21T13:49:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jm4g-8rvq-v87j/GHSA-jm4g-8rvq-v87j.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-jm4g-8rvq-v87j
Finding: F006
Auto approve: 1