Jenkins Compuware Plugin Vulnerability Exposes Configuration and Credential Details
CVE-2022-36896

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Compuware Source Code Download For Endevor, Pds, And Ispw Plugin
Vendor: CVE Published:; 27 July 2022

What is CVE-2022-36896?

A missing permission check in the Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin prior to version 2.0.12 could allow attackers with Overall/Read permissions to enumerate sensitive configurations, including host and port details, and access stored credentials IDs. This flaw poses risks to the integrity and confidentiality of Jenkins setups that leverage this plugin, potentially exposing critical information to unauthorized users.

Affected Version(s)

Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin <= 2.0.12

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/07/27/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 27, 2022
Vulnerability Reserved
Jul 27, 2022