CVE-2022-27199Missing Authorization in Jenkins Cloudbees AWS Credentials

CWE-862Missing AuthorizationCWE-276Incorrect Default Permissions5 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 91.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Cloudbees AWS CredentialsJenkins Project Jenkins Cloudbees AWS Credentials Plugin
Timeline
PublishedMar 15
Latest updateMar 16

Description

A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_cloudbees_aws_credentials_pluginunspecified189.v3551d5642995
NVDjenkins/cloudbees_aws_credentials< 191.vcb_f183ce58b_9

🔴Vulnerability Details

3
OSV
Missing permission checks in AWS Credentials Plugin2022-03-16
GHSA
Missing permission checks in AWS Credentials Plugin2022-03-16
CVEList
CVE-2022-27199: A missing permission check in Jenkins CloudBees AWS Credentials Plugin 1892022-03-15

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-03-152022-03-15
CVE-2022-27199 — Missing Authorization in Jenkins | cvebase