Missing Permission Checks in Jenkins XebiaLabs XL Release Plugin
CVE-2022-34781

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Xebialabs Xl Release Plugin
Vendor: CVE Published:; 30 June 2022

Summary

The Jenkins XebiaLabs XL Release Plugin prior to version 22.0.0 contains a significant security gap whereby missing permission checks enable unauthorized users, possessing Overall/Read permissions, to connect to any HTTP server of their choosing. This access can potentially expose sensitive credentials stored within Jenkins by utilizing attacker-specified credential IDs acquired through other means. Organizations using affected versions are urged to apply the latest updates to mitigate this risk and safeguard their systems.

Affected Version(s)

Jenkins XebiaLabs XL Release Plugin <= 22.0.0

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 30, 2022
Vulnerability Reserved
Jun 29, 2022