CVE-2022-36921

CWE-862Missing Authorization5 documents5 sources
Severity
8.1HIGH
EPSS
0.5%
top 32.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Coverity PluginJenkins Coverity
Timeline
PublishedJul 27
Latest updateJul 28

Description

A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

CVEListV5jenkins_project/jenkins_coverity_pluginunspecified1.11.4
NVDjenkins/coverity1.11.4

🔴Vulnerability Details

3
OSV
Missing permission check in Coverity Plugin allows capturing credentials2022-07-28
GHSA
Missing permission check in Coverity Plugin allows capturing credentials2022-07-28
CVEList
CVE-2022-36921: A missing permission check in Jenkins Coverity Plugin 12022-07-27

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-07-272022-07-27
CVE-2022-36921 (HIGH CVSS 8.1) | A missing permission check in Jenki | cvebase.io