Miggo Logo
Miggo Vulnerability Database
CVE-2022-34210

CVE-2022-34210: Missing permission check in Jenkins ThreadFix Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-34210
GHSA ID
GHSA-77vq-4j66-46m5
EPSS Score
0.71115%
CWE
CWE-862
Published
6/24/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:threadfixmaven<= 1.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly states the vulnerability stems from a missing permission check in a form validation method. Jenkins plugins typically implement form validation methods in DescriptorImpl classes with 'doValidate' prefixes. The ThreadFixBuilder's descriptor would logically contain validation logic for application URLs. The combination of missing permission checks (Jenkins.get().checkPermission) and lack of @RequirePOST annotation matches the described vulnerability pattern (CWE-862). The high confidence comes from the direct match between the advisory description and common Jenkins plugin implementation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins T*r****ix Plu*in *.*.* *n* **rli*r *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** URL.

Reasoning

T** **visory *xpli*itly st*t*s t** vuln*r**ility st*ms *rom * missin* p*rmission ****k in * *orm `v*li**tion` m*t*o*. J*nkins plu*ins typi**lly impl*m*nt *orm `v*li**tion` m*t*o*s in `**s*riptorImpl` *l*ss*s wit* '*oV*li**t*' pr**ix*s. T** `T*r****ix