CVE-2022-28144

CWE-862Missing Authorization5 documents5 sources
Severity
6.5MEDIUM
EPSS
0.0%
top 91.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Proxmox PluginJenkins Proxmox
Timeline
PublishedMar 29
Latest updateMar 30

Description

Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5jenkins_project/jenkins_proxmox_pluginunspecified0.7.0
NVDjenkins/proxmox0.7.0

🔴Vulnerability Details

3
OSV
Missing permission checks in Jenkins Proxmox Plugin2022-03-30
GHSA
Missing permission checks in Jenkins Proxmox Plugin2022-03-30
CVEList
CVE-2022-28144: Jenkins Proxmox Plugin 02022-03-29

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-03-292022-03-29
CVE-2022-28144 (MEDIUM CVSS 6.5) | Jenkins Proxmox Plugin 0.7.0 and ea | cvebase.io