CVE-2022-41254 — Missing Authorization in Project Jenkins Cons3rt Plugin

CWE-862 — Missing Authorization5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 32.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Cons3rt Plugin Jenkins Cons3rt

Timeline

PublishedSep 21

Latest updateSep 22

Description

Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_cons3rt_pluginunspecified — 1.0.0

▶NVDjenkins/cons3rt1.0.0

🔴Vulnerability Details

OSV

Missing permission checks in Jenkins CONS3RT Plugin allow capturing credentials↗2022-09-22

▶

GHSA

Missing permission checks in Jenkins CONS3RT Plugin allow capturing credentials↗2022-09-22

▶

CVEList

CVE-2022-41254: Missing permission checks in Jenkins CONS3RT Plugin 1↗2022-09-21

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-09-21↗2022-09-21

▶