Permission Bypass in Jenkins Proxmox Plugin Affects User Security
CVE-2022-28144

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Proxmox Plugin
Vendor: CVE Published:; 29 March 2022

Summary

The Jenkins Proxmox Plugin, specifically version 0.7.0 and earlier, lacks essential permission checks in several HTTP endpoints. This oversight allows users with Overall/Read permissions to perform unauthorized actions. Attackers can establish a connection to a targeted host using arbitrary credentials and disable SSL/TLS validation for the entire Jenkins controller JVM during the connection test. Additionally, they can manipulate rollback tests with their own parameters, exposing systems to further risks.

Affected Version(s)

Jenkins Proxmox Plugin <= 0.7.0

References

https://www.jenkins.io/security/advisory/2022-03-29/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/03/29/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 29, 2022
Vulnerability Reserved
Mar 29, 2022