CVE-2022-36907: Missing permission check in Jenkins OpenShift Deployer Plugin
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.51068%
CWE
Published
7/28/2022
Updated
1/28/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:openshift-deployer | maven | <= 1.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from a missing permission check in a form validation method. Jenkins plugins typically implement form validation through doCheck* methods in Descriptor classes. The advisory specifically mentions this occurs in 'a method implementing form validation' related to URL/credential verification. The OpenShift Deployer Plugin would need such methods to validate() OpenShift server connections, and the lack of permission checks in these methods aligns with the described attack vector where attackers with Read permissions can abuse the validation endpoint.