Permission Bypass in Jenkins Lucene-Search Plugin by Jenkins
CVE-2022-36910

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Lucene-search Plugin
Vendor: CVE Published:; 27 July 2022

What is CVE-2022-36910?

The Jenkins Lucene-Search Plugin, specifically version 370.v62a5f618cd3a and earlier, lacks proper permission checks across various HTTP endpoints. This oversight allows attackers with Overall/Read permissions to reindex the database, potentially uncovering sensitive information about various jobs that should remain inaccessible.

Affected Version(s)

Jenkins Lucene-Search Plugin <= 370.v62a5f618cd3a

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/07/27/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 27, 2022
Vulnerability Reserved
Jul 27, 2022