CVE-2022-36904

CWE-862 — Missing Authorization5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 74.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Repository Connector Plugin Jenkins Repository Connector

Timeline

PublishedJul 27

Latest updateJul 28

Description

Jenkins Repository Connector Plugin 2.2.0 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:repository-connector2.2.0

▶CVEListV5jenkins_project/jenkins_repository_connector_pluginunspecified — 2.2.0

▶NVDjenkins/repository_connector2.2.0

🔴Vulnerability Details

OSV

Jenkins Repository Connector Plugin does not perform a permission check in a method implementing form validation↗2022-07-28

▶

GHSA

Jenkins Repository Connector Plugin does not perform a permission check in a method implementing form validation↗2022-07-28

▶

CVEList

CVE-2022-36904: Jenkins Repository Connector Plugin 2↗2022-07-27

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-07-27↗2022-07-27

▶