CVE-2022-41233

CWE-862 — Missing Authorization5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.3%

top 51.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Rundeck Plugin Jenkins Rundeck

Timeline

PublishedSep 21

Latest updateSep 22

Description

Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, allowing attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:rundeck< 3.6.12

▶CVEListV5jenkins_project/jenkins_rundeck_pluginunspecified — 3.6.11

▶NVDjenkins/rundeck3.6.11

🔴Vulnerability Details

OSV

Jenkins Rundeck Plugin Missing Authorization vulnerability↗2022-09-22

▶

GHSA

Jenkins Rundeck Plugin Missing Authorization vulnerability↗2022-09-22

▶

CVEList

CVE-2022-41233: Jenkins Rundeck Plugin 3↗2022-09-21

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-09-21↗2022-09-21

▶