Lucene search

JenkinsCVE-2022-36921

HistoryJul 27, 2022 - 3:15 p.m.

CVE-2022-36921

2022-07-2715:15:13

CWE-862

jenkins

web.nvd.nist.gov

cve-2022-36921

jenkins

coverity plugin

permission check

overall/read permission

url

credentials ids

nvd

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

7.8

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Affected configurations

Nvd

Node

jenkinscoverityRange≤1.11.4jenkins

VendorProductVersionCPE
jenkinscoverity*cpe:2.3:a:jenkins:coverity:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	coverity	*	cpe:2.3:a:jenkins:coverity::::::jenkins::*

CNA Affected

[
  {
    "product": "Jenkins Coverity Plugin",
    "vendor": "Jenkins project",
    "versions": [
      {
        "lessThanOrEqual": "1.11.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 1.11.4",
        "versionType": "custom"
      }
    ]
  }
]

References

www.openwall.com/lists/oss-security/2022/07/27/1

www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2790%20%282%29

Social References

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

7.8

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

Related for CVE-2022-36921