CVE-2022-36891

CWE-862 — Missing Authorization5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.3%

top 47.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Deployer Framework Plugin Jenkins Deployer Framework

Timeline

PublishedJul 27

Latest updateJul 28

Description

A missing permission check in Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier allows attackers with Item/Read permission but without Deploy Now/Deploy permission to read deployment logs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:deployer-framework< 86.v7b_a_4a_55b_f3ec

▶CVEListV5jenkins_project/jenkins_deployer_framework_pluginunspecified — 85.v1d1888e8c021

▶NVDjenkins/deployer_framework85.v1d1888e8c021

🔴Vulnerability Details

GHSA

Jenkins Deployer Framework Plugin allows attackers with Item/Read permission to read deployment logs↗2022-07-28

▶

OSV

Jenkins Deployer Framework Plugin allows attackers with Item/Read permission to read deployment logs↗2022-07-28

▶

CVEList

CVE-2022-36891: A missing permission check in Jenkins Deployer Framework Plugin 85↗2022-07-27

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-07-27↗2022-07-27

▶