Login Sign Up

CVE-2021-21665

8.8 HIGH
CSRF

📋 TL;DR

This CSRF vulnerability in Jenkins XebiaLabs XL Deploy Plugin allows attackers to trick authenticated users into connecting Jenkins to attacker-controlled servers using stolen credential IDs. This enables credential theft of usernames and passwords stored in Jenkins. Affects Jenkins instances with XL Deploy Plugin 10.0.1 or earlier installed.

💻 Affected Systems

Products:
  • Jenkins XebiaLabs XL Deploy Plugin
Versions: 10.0.1 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Jenkins with the vulnerable plugin installed and enabled. Attackers need to obtain credential IDs through other means first.

📦 What is this software?

Xebialabs Xl Deploy by Jenkins

View all CVEs affecting Xebialabs Xl Deploy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal all stored credentials from Jenkins, potentially compromising downstream systems, infrastructure, and sensitive data.

🟠

Likely Case

Targeted credential theft leading to unauthorized access to connected systems and potential lateral movement.

🟢

If Mitigated

Limited impact with proper CSRF protections, credential isolation, and network segmentation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires social engineering or other methods to deliver CSRF payload to authenticated users. Credential IDs must be obtained separately.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.2

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-06-10/#SECURITY-1982

Restart Required: Yes

Instructions:

1. Update Jenkins XL Deploy Plugin to version 10.0.2 or later via Jenkins Plugin Manager. 2. Restart Jenkins instance. 3. Verify plugin version in installed plugins list.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Ensure Jenkins CSRF protection is enabled globally

Check Jenkins Configure Global Security settings for CSRF protection

Restrict Network Access

all

Limit Jenkins server's outbound network connections

Configure firewall rules to restrict Jenkins outbound connections

🧯 If You Can't Patch

  • Disable or remove XL Deploy Plugin if not essential
  • Implement strict network segmentation and monitor for unusual outbound connections

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for XL Deploy Plugin version 10.0.1 or earlier

Check Version:

Check via Jenkins web UI: Manage Jenkins > Manage Plugins > Installed tab

Verify Fix Applied:

Verify XL Deploy Plugin version is 10.0.2 or later in Jenkins plugin manager

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin configuration changes
  • Failed authentication attempts to new endpoints

Network Indicators:

  • Jenkins server making unexpected outbound connections
  • Traffic to unfamiliar domains/IPs

SIEM Query:

source="jenkins.log" AND ("XL Deploy" OR "plugin.configure") AND (error OR failed OR unauthorized)

📊 Metadata

CVE ID: CVE-2021-21665
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: June 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21665, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)