CVE-2021-21632: 
Java vulnerability analysis and mitigation

CVE-2021-21632 is a security vulnerability discovered in the OWASP Dependency-Track Plugin for Jenkins, disclosed on March 30, 2021. The vulnerability affects versions 3.1.0 and earlier of the plugin, where missing permission checks in several HTTP endpoints could allow unauthorized access to sensitive credentials (Jenkins Advisory, OSS Security).

The vulnerability stems from improper permission checks implementation in multiple HTTP endpoints of the OWASP Dependency-Track Plugin. The issue is classified with a Medium severity (CVSS) rating. The vulnerability allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, potentially exposing 'Secret text' credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential could be captured if set up (Jenkins Advisory).

The vulnerability enables attackers with Overall/Read permission to capture sensitive credentials stored in Jenkins. This includes the ability to access 'Secret text' credentials through attacker-specified credentials IDs, as well as the potential to capture globally configured credentials when no specific credentials ID is provided (Jenkins Advisory).

The vulnerability has been fixed in OWASP Dependency-Track Plugin version 3.1.1. The updated version implements proper permission checks and requires POST requests for the affected HTTP endpoints. Users are strongly advised to upgrade to this version to address the security issue (Jenkins Advisory).