Missing Permission Check in Jenkins ThreadFix Plugin from Jenkins
CVE-2022-34210

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Threadfix Plugin
Vendor: CVE Published:; 23 June 2022

Summary

The Jenkins ThreadFix Plugin has a critical security oversight due to a missing permission check. This flaw allows users with Overall/Read permission to connect to URLs specified by an attacker. Compromise through this vulnerability could lead to unauthorized data exposure or other malicious activities, emphasizing the necessity for immediate updates to secure the environment.

Affected Version(s)

Jenkins ThreadFix Plugin <= 1.5.4

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 23, 2022
Vulnerability Reserved
Jun 21, 2022