CVE-2022-20616
Description
Jenkins Credentials Binding Plugin 1.27 and earlier allows attackers with Overall/Read access to validate if a credential ID refers to a secret file and whether it's a zip file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Credentials Binding Plugin 1.27 and earlier allows attackers with Overall/Read access to validate if a credential ID refers to a secret file and whether it's a zip file.
Vulnerability
The Jenkins Credentials Binding Plugin versions 1.27 and earlier contain a missing permission check in a method that implements form validation [1][2][3]. This allows an attacker with Overall/Read access to determine if a given credential ID corresponds to a secret file credential and, if so, whether that file is a zip file [1][3]. No special configuration is required to reach the vulnerable code path; the form validation endpoint is accessible to any user with the minimal Overall/Read permission.
Exploitation
An attacker needs only Overall/Read access to the Jenkins instance, which is a low-privilege permission often granted to all authenticated users or even anonymous users in some configurations. By sending a crafted request to the form validation method, the attacker can systematically probe credential IDs and receive a boolean response indicating whether the credential is a secret file and whether it is a zip file [1][3]. The attack does not require any user interaction or additional write privileges.
Impact
The impact is limited to information disclosure: an attacker can enumerate credential IDs and learn which ones are secret files and which of those are zip files [1][2][3]. The attacker cannot read the contents of the credential files or modify them, but the exposed metadata might be used to target specific credentials in further attacks. The compromised data is of low confidentiality value but could aid in reconnaissance.
Mitigation
The fixed version is Credentials Binding Plugin 1.27.1, which was released on 2022-01-12 alongside the security advisory [1][2]. All users should upgrade to 1.27.1 or later. Jenkins instances with Overall/Read access restricted to only trusted users reduce the attack surface, but the plugin fix is the recommended mitigation. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:credentials-bindingMaven | >= 1.25, < 1.27.1 | 1.27.1 |
org.jenkins-ci.plugins:credentials-bindingMaven | < 1.24.1 | 1.24.1 |
Affected products
2- Range: unspecified
Patches
12dd5eda721e5[SECURITY-2342]
2 files changed · +19 −2
src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/ZipFileBinding.java+18 −1 modified@@ -36,13 +36,15 @@ import java.io.InputStream; import java.util.Collections; +import jenkins.model.Jenkins; import org.apache.commons.io.IOUtils; import org.jenkinsci.Symbol; import org.jenkinsci.plugins.credentialsbinding.BindingDescriptor; import org.jenkinsci.plugins.plaincredentials.FileCredentials; import org.kohsuke.stapler.AncestorInPath; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.StaplerRequest; public class ZipFileBinding extends AbstractOnDiskBinding<FileCredentials> { @@ -72,7 +74,22 @@ public class ZipFileBinding extends AbstractOnDiskBinding<FileCredentials> { return Messages.ZipFileBinding_secret_zip_file(); } - public FormValidation doCheckCredentialsId(@AncestorInPath Item owner, @QueryParameter String value) { + // @RequirePOST + public FormValidation doCheckCredentialsId(StaplerRequest req, @AncestorInPath Item owner, @QueryParameter String value) { + //TODO due to weird behavior in c:select, there are initial calls using GET + // so using this approach will prevent 405 errors + if (!req.getMethod().equals("POST")) { + return FormValidation.ok(); + } + if (owner == null) { + if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) { + return FormValidation.ok(); + } + } else { + if (!owner.hasPermission(Item.EXTENDED_READ) && !owner.hasPermission(CredentialsProvider.USE_ITEM)) { + return FormValidation.ok(); + } + } for (FileCredentials c : CredentialsProvider.lookupCredentials(FileCredentials.class, owner, null, Collections.<DomainRequirement>emptyList())) { if (c.getId().equals(value)) { InputStream is = null;
src/main/resources/org/jenkinsci/plugins/credentialsbinding/MultiBinding/config.jelly+1 −1 modified@@ -26,7 +26,7 @@ THE SOFTWARE. <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler" xmlns:c="/lib/credentials"> <st:include page="config-variables.jelly" class="${descriptor.clazz}"/> <f:entry title="${%Credentials}" field="credentialsId"> - <c:select expressionAllowed="${expressionAllowed}"/> + <c:select expressionAllowed="${expressionAllowed}" checkMethod="post"/> </f:entry> <st:include page="config-details.jelly" class="${descriptor.clazz}" optional="true"/> </j:jelly>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-gqm2-2gcx-p88wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-20616ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/12/6ghsamailing-listx_refsource_MLISTWEB
- github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2022/20xxx/CVE-2022-20616.jsonghsaWEB
- github.com/jenkinsci/credentials-binding-plugin/commit/2dd5eda721e52d9a5bf6748405adf965ba517d8aghsaWEB
- www.jenkins.io/security/advisory/2022-01-12/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-01-12Jenkins Security Advisories · Jan 12, 2022