Miggo Logo

CVE-2022-28147: Missing permission check in Jenkins Continuous Integration with Toad Edge Plugin

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.74667%
Published
3/30/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:ci-with-toad-edgemaven< 2.42.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows a security check was added to doCheckLibs method. The vulnerability description explicitly states this method lacked authorization checks, allowing low-privilege users to exploit it. The patch adds Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER) to enforce authorization, confirming this was the missing security control.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins *ontinuous Int**r*tion wit* To** **** Plu*in *.* *n* **rli*r *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to ****k *or t** *xist*n** o* *n *tt**k*r-sp**i*i** *il* p*t* on t** J*nkins *ontroll*r *il* syst*m.

Reasoning

T** *ommit *i** s*ows * s**urity ****k w*s ***** to `*o****kLi*s` m*t*o*. T** vuln*r**ility **s*ription *xpli*itly st*t*s t*is m*t*o* l**k** *ut*oriz*tion ****ks, *llowin* low-privil*** us*rs to *xploit it. T** p*t** ***s `J*nkins.**tInst*n**().****k