Missing Permission Check in Jenkins Compuware ISPW Operations Plugin
CVE-2022-36898

4.3MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Compuware Ispw Operations Plugin
Vendor
CVE Published:
27 July 2022

Summary

The Jenkins Compuware ISPW Operations Plugin prior to version 1.0.8 has a flaw that allows users with Overall/Read permission to extract sensitive information. This includes enumerating hosts and ports of Compuware configurations as well as credential IDs stored within Jenkins. Without adequate permission checks, this vulnerability could lead to unauthorized disclosure of critical configuration data.

Affected Version(s)

Jenkins Compuware ISPW Operations Plugin <= 1.0.8

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECU...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2022/07/27/1
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.