Miggo Logo
Miggo Vulnerability Database
CVE-2022-36915

CVE-2022-36915: Jenkins Android Signing Plugin allows attackers to check whether attacker-specified file patterns match workspace contents

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-36915
GHSA ID
GHSA-vp68-fm96-7v79
EPSS Score
0.23415%
CWE
CWE-862
Published
7/28/2022
Updated
1/3/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:android-signingmaven<= 2.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a missing Item/Workspace permission check in a form validation handler. The GitHub commit diff shows the fix adds 'project.checkPermission(Item.WORKSPACE)' in doCheckApksToSign method, confirming this was the vulnerable entrypoint. This matches the CWE-862 (Missing Authorization) pattern and the advisory's description of attackers exploiting form validation without workspace permissions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *n*roi* Si*nin* Plu*in *.*.* *n* **rli*r *o*s not p*r*orm * p*rmission ****k in * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows *tt**k*rs wit* It*m/R*** p*rmission *ut wit*out It*m/Worksp*** or It*m/*on*i*ur* p*rmission to ****k w**t**r *

Reasoning

T** vuln*r**ility st*ms *rom * missin* It*m/Worksp*** p*rmission ****k in * *orm `v*li**tion` **n*l*r. T** *it*u* *ommit *i** s*ows t** *ix ***s 'proj**t.****kP*rmission(It*m.WORKSP***)' in `*o****k*pksToSi*n` m*t*o*, *on*irmin* t*is w*s t** vuln*r**