{"id":"GHSA-rrvg-2c69-p9rf","summary":"CSRF vulnerability in Jenkins Xray - Test Management for Jira Plugin allows capturing credentials","details":"Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not require POST requests for a connection test method, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nThis vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.\n\nJenkins Xray - Test Management for Jira Plugin 2.4.1 requires POST requests for the affected connection test method.","aliases":["CVE-2021-21652"],"modified":"2023-11-01T04:54:20.071127Z","published":"2021-06-16T17:28:58Z","database_specific":{"nvd_published_at":"2021-05-11T15:15:00Z","cwe_ids":["CWE-352"],"github_reviewed_at":"2021-05-19T19:12:26Z","github_reviewed":true,"severity":"HIGH"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21652"},{"type":"PACKAGE","url":"https://github.com/jenkinsci/xray-connector-plugin"},{"type":"WEB","url":"https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2251%20(1)"}],"affected":[{"package":{"name":"org.jenkins-ci.plugins:xray-connector","ecosystem":"Maven","purl":"pkg:maven/org.jenkins-ci.plugins/xray-connector"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.1"}]}],"versions":["2.1.1","2.1.2","2.2.0","2.3.0","2.3.1","2.4.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rrvg-2c69-p9rf/GHSA-rrvg-2c69-p9rf.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"}]}