VulnerableCode Package Details - pkg:maven/org.jenkins-ci.plugins/config-file-provider@3.7.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-869x-tjbg-dkbr	XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.	CVE-2021-21642 GHSA-q7xg-hh3q-hc68
VCID-sztq-6p4h-b7ex	CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID. This is due to an incomplete fix of [SECURITY-938](https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-938). Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.	CVE-2021-21644 GHSA-998m-f2x3-jjq4
VCID-u2dp-1t5z-z7dm	Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 requires the appropriate permissions.	CVE-2021-21645 GHSA-2959-fj73-hm8p
VCID-xmyr-jaue-7ker	Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of system-scoped credentials IDs in Jenkins Config File Provider Plugin 3.7.1 requires Overall/Administer permission.	CVE-2021-21643 GHSA-3m3f-2323-64m7

Vulnerability

Summary

Aliases

VCID-869x-tjbg-dkbr

XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.

CVE-2021-21642
GHSA-q7xg-hh3q-hc68

VCID-sztq-6p4h-b7ex

CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID. This is due to an incomplete fix of [SECURITY-938](https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-938). Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.

CVE-2021-21644
GHSA-998m-f2x3-jjq4

VCID-u2dp-1t5z-z7dm

Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 requires the appropriate permissions.

CVE-2021-21645
GHSA-2959-fj73-hm8p

VCID-xmyr-jaue-7ker

Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of system-scoped credentials IDs in Jenkins Config File Provider Plugin 3.7.1 requires Overall/Administer permission.

CVE-2021-21643
GHSA-3m3f-2323-64m7

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-03T21:26:57.035619+00:00	GitLab Importer	Fixing	VCID-869x-tjbg-dkbr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/config-file-provider/CVE-2021-21642.yml	38.1.0
2026-04-03T21:26:45.980468+00:00	GitLab Importer	Fixing	VCID-u2dp-1t5z-z7dm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/config-file-provider/CVE-2021-21645.yml	38.1.0
2026-04-03T21:26:42.668629+00:00	GitLab Importer	Fixing	VCID-sztq-6p4h-b7ex	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/config-file-provider/CVE-2021-21644.yml	38.1.0
2026-04-03T21:26:32.593829+00:00	GitLab Importer	Fixing	VCID-xmyr-jaue-7ker	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/config-file-provider/CVE-2021-21643.yml	38.1.0
2026-04-01T16:02:06.827829+00:00	GHSA Importer	Fixing	VCID-xmyr-jaue-7ker	https://github.com/advisories/GHSA-3m3f-2323-64m7	38.0.0
2026-04-01T16:02:06.770719+00:00	GHSA Importer	Fixing	VCID-869x-tjbg-dkbr	https://github.com/advisories/GHSA-q7xg-hh3q-hc68	38.0.0
2026-04-01T16:02:06.711086+00:00	GHSA Importer	Fixing	VCID-u2dp-1t5z-z7dm	https://github.com/advisories/GHSA-2959-fj73-hm8p	38.0.0
2026-04-01T16:02:06.658855+00:00	GHSA Importer	Fixing	VCID-sztq-6p4h-b7ex	https://github.com/advisories/GHSA-998m-f2x3-jjq4	38.0.0
2026-04-01T13:11:17.573058+00:00	GithubOSV Importer	Fixing	VCID-xmyr-jaue-7ker	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3m3f-2323-64m7/GHSA-3m3f-2323-64m7.json	38.0.0
2026-04-01T13:09:10.256608+00:00	GithubOSV Importer	Fixing	VCID-u2dp-1t5z-z7dm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2959-fj73-hm8p/GHSA-2959-fj73-hm8p.json	38.0.0
2026-04-01T13:08:45.679569+00:00	GithubOSV Importer	Fixing	VCID-869x-tjbg-dkbr	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q7xg-hh3q-hc68/GHSA-q7xg-hh3q-hc68.json	38.0.0
2026-04-01T13:08:23.423841+00:00	GithubOSV Importer	Fixing	VCID-sztq-6p4h-b7ex	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-998m-f2x3-jjq4/GHSA-998m-f2x3-jjq4.json	38.0.0