A missing permission check in Jenkins XebiaLabs XL Deploy Plugin 7.5.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.

Affected Packages

Maven com.xebialabs.deployit.ci:deployit-plugin

Affected versions: 0 (fixed in 10.0.2)

Related CVEs

CVE-2021-21663

Key Information

GHSA ID

GHSA-6mpp-cm3v-23vv

Published

May 24, 2022 7:04 PM

Last Modified

October 27, 2023 3:17 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

com.xebialabs.deployit.ci:deployit-plugin

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.