Miggo Logo
Miggo Vulnerability Database
CVE-2022-41250

CVE-2022-41250: Missing permission check in Jenkins SCM HttpClient Plugin allow capturing credentials

4.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-41250
GHSA ID
GHSA-q9j5-2mjx-8x28
EPSS Score
0.26461%
CWE
CWE-862
Published
9/22/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.meowlomo.jenkins:scm-httpclientmaven<= 1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on a missing permission check in a form validation method. Jenkins plugin form validation methods typically follow the 'doCheck[FieldName]' pattern in Descriptor classes. The advisory specifically mentions this affects credential validation for HTTP server connections. The combination of missing authorization (CWE-862) and CSRF vulnerability suggests a GET-accessible validation endpoint in the plugin's configuration descriptor that handles server/credential validation without proper security checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*M *ttp*li*nt Plu*in *.* *n* **rli*r *o*s not p*r*orm p*rmission ****k in * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** *TTP s*rv*r usin* *tt**k*r-sp**i*i** *r***nti*ls

Reasoning

T** vuln*r**ility **nt*rs on * missin* p*rmission ****k in * *orm `v*li**tion` m*t*o*. J*nkins plu*in *orm `v*li**tion` m*t*o*s typi**lly *ollow t** '*o****k[*i*l*N*m*]' p*tt*rn in **s*riptor *l*ss*s. T** **visory sp**i*i**lly m*ntions t*is *****ts *