VulnerableCode Package Details - pkg:maven/org.jenkins-ci.plugins/config-file-provider@3.7.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-869x-tjbg-dkbr Aliases: CVE-2021-21642 GHSA-q7xg-hh3q-hc68	XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.	3.7.1 Affected by 0 other vulnerabilities.
VCID-sztq-6p4h-b7ex Aliases: CVE-2021-21644 GHSA-998m-f2x3-jjq4	CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID. This is due to an incomplete fix of [SECURITY-938](https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-938). Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.	3.7.1 Affected by 0 other vulnerabilities.
VCID-u2dp-1t5z-z7dm Aliases: CVE-2021-21645 GHSA-2959-fj73-hm8p	Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 requires the appropriate permissions.	3.7.1 Affected by 0 other vulnerabilities.
VCID-xmyr-jaue-7ker Aliases: CVE-2021-21643 GHSA-3m3f-2323-64m7	Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of system-scoped credentials IDs in Jenkins Config File Provider Plugin 3.7.1 requires Overall/Administer permission.	3.7.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-869x-tjbg-dkbr
Aliases:
CVE-2021-21642
GHSA-q7xg-hh3q-hc68

XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.

3.7.1
Affected by 0 other vulnerabilities.

VCID-sztq-6p4h-b7ex
Aliases:
CVE-2021-21644
GHSA-998m-f2x3-jjq4

CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID. This is due to an incomplete fix of [SECURITY-938](https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-938). Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.

3.7.1
Affected by 0 other vulnerabilities.

VCID-u2dp-1t5z-z7dm
Aliases:
CVE-2021-21645
GHSA-2959-fj73-hm8p

Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 requires the appropriate permissions.

3.7.1
Affected by 0 other vulnerabilities.

VCID-xmyr-jaue-7ker
Aliases:
CVE-2021-21643
GHSA-3m3f-2323-64m7

Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of system-scoped credentials IDs in Jenkins Config File Provider Plugin 3.7.1 requires Overall/Administer permission.

3.7.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-03T21:26:57.031715+00:00	GitLab Importer	Affected by	VCID-869x-tjbg-dkbr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/config-file-provider/CVE-2021-21642.yml	38.1.0
2026-04-03T21:26:45.977225+00:00	GitLab Importer	Affected by	VCID-u2dp-1t5z-z7dm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/config-file-provider/CVE-2021-21645.yml	38.1.0
2026-04-03T21:26:42.664910+00:00	GitLab Importer	Affected by	VCID-sztq-6p4h-b7ex	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/config-file-provider/CVE-2021-21644.yml	38.1.0
2026-04-03T21:26:32.590377+00:00	GitLab Importer	Affected by	VCID-xmyr-jaue-7ker	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/config-file-provider/CVE-2021-21643.yml	38.1.0
2026-04-01T16:02:06.824590+00:00	GHSA Importer	Affected by	VCID-xmyr-jaue-7ker	https://github.com/advisories/GHSA-3m3f-2323-64m7	38.0.0
2026-04-01T16:02:06.767447+00:00	GHSA Importer	Affected by	VCID-869x-tjbg-dkbr	https://github.com/advisories/GHSA-q7xg-hh3q-hc68	38.0.0
2026-04-01T16:02:06.707674+00:00	GHSA Importer	Affected by	VCID-u2dp-1t5z-z7dm	https://github.com/advisories/GHSA-2959-fj73-hm8p	38.0.0
2026-04-01T16:02:06.655547+00:00	GHSA Importer	Affected by	VCID-sztq-6p4h-b7ex	https://github.com/advisories/GHSA-998m-f2x3-jjq4	38.0.0