Miggo Logo

CVE-2022-36888: Jenkins HashiCorp Vault Plugin does not perform permission checks in several HTTP endpoints that perform Vault connection tests

4.2

CVSS Score
3.1

Basic Information

EPSS Score
0.61782%
Published
7/28/2022
Updated
1/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.datapipe.jenkins.plugins:hashicorp-vault-pluginmaven<= 354.vdb355.v3b_38d767a_b_a_8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing Jenkins.ADMINISTER permission checks in 'doTestConnection' methods across multiple credential implementations. These methods handle HTTP endpoints for Vault connection testing. The commit 3b38d76 explicitly adds Jenkins.get().checkPermission(Jenkins.ADMINISTER) to all these methods, confirming they were the attack surface. The CWE-862 (Missing Authorization) maps directly to the absence of these checks, allowing attackers with lower privileges to exploit the endpoints. The Jelly UI changes further support this by hiding test buttons from non-admins, but the core vulnerability was in the backend authorization logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins **s*i*orp V*ult Plu*in ***.v**_*******_*** *n* **rli*r *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to o*t*in *r***nti*ls stor** in V*ult wit* *tt**k*r-sp**i*i** p*t* *n* k*ys.

Reasoning

T** vuln*r**ility st*mm** *rom missin* `J*nkins.**MINIST*R` p*rmission ****ks in '*oT*st*onn**tion' m*t*o*s **ross multipl* *r***nti*l impl*m*nt*tions. T**s* m*t*o*s **n*l* *TTP *n*points *or V*ult *onn**tion t*stin*. T** *ommit ******* *xpli*itly **