Miggo Logo
Miggo Vulnerability Database
CVE-2022-36907

CVE-2022-36907: Missing permission check in Jenkins OpenShift Deployer Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-36907
GHSA ID
GHSA-jvjh-9r4q-8q5q
EPSS Score
0.51068%
CWE
CWE-862
Published
7/28/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:openshift-deployermaven<= 1.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a missing permission check in a form validation method. Jenkins plugins typically implement form validation through doCheck* methods in Descriptor classes. The advisory specifically mentions this occurs in 'a method implementing form validation' related to URL/credential verification. The OpenShift Deployer Plugin would need such methods to validate() OpenShift server connections, and the lack of permission checks in these methods aligns with the described attack vector where attackers with Read permissions can abuse the validation endpoint.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*nS*i*t **ploy*r Plu*in *.*.* *n* **rli*r *o*s not p*r*orm * p*rmission ****k in * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** us*rn*m* *n

Reasoning

T** vuln*r**ility st*ms *rom * missin* p*rmission ****k in * *orm `v*li**tion` m*t*o*. J*nkins `plu*ins` typi**lly impl*m*nt *orm `v*li**tion` t*rou** `*o****k*` m*t*o*s in `**s*riptor` *l*ss*s. T** **visory sp**i*i**lly m*ntions t*is o**urs in '* m*