Insufficient Permission Checks in Jenkins Deployer Framework Plugin
CVE-2022-36891

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Deployer Framework Plugin
Vendor: CVE Published:; 27 July 2022

Summary

The Jenkins Deployer Framework Plugin is vulnerable due to a missing permission check that allows users with Item/Read permission to access deployment logs, even if they lack the Deploy Now/Deploy permission. This flaw can potentially expose sensitive information, leading to unauthorized disclosure of deployment activity and logs. Organizations using the affected versions should address this vulnerability promptly to protect against potential information leakage.

Affected Version(s)

Jenkins Deployer Framework Plugin <= 85.v1d1888e8c021

Jenkins Deployer Framework Plugin 1.3.1

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/07/27/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 27, 2022
Vulnerability Reserved
Jul 27, 2022