Moderate severityNVD Advisory· Published Jan 12, 2022· Updated Aug 3, 2024
CVE-2022-23112
CVE-2022-23112
Description
A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:publish-over-sshMaven | < 1.24 | 1.24 |
Affected products
1- Range: unspecified
Patches
2c2e5ad99da6d[SECURITY-2290] check permission as well
3 files changed · +6 −0
src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java+1 −0 modified@@ -72,6 +72,7 @@ public FormValidation doCheckKeyPath(@QueryParameter final String value) { public FormValidation doTestConnection(@QueryParameter final String configName, @QueryParameter final String username, @QueryParameter final String encryptedPassphrase, @QueryParameter final String key, @QueryParameter final String keyPath) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); final BapSshCredentials credentials = new BapSshCredentials(username, encryptedPassphrase, key, keyPath); final BPBuildInfo buildInfo = BapSshPublisherPluginDescriptor.createDummyBuildInfo(); buildInfo.put(BPBuildInfo.OVERRIDE_CREDENTIALS_CONTEXT_KEY, credentials);
src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java+4 −0 modified@@ -81,12 +81,16 @@ public FormValidation doCheckTimeout(@QueryParameter final String value) { return FormValidation.validateNonNegativeInteger(value); } + @RequirePOST public FormValidation doCheckKeyPath(@QueryParameter final String value) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER)); return BPValidators.validateFileOnMaster(value); } @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + final BapSshPublisherPlugin.Descriptor pluginDescriptor; Jenkins j = Jenkins.getInstanceOrNull(); if(j != null) {
src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java+1 −0 modified@@ -193,6 +193,7 @@ public jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages getCom @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER);); final BapSshHostConfiguration hostConfig = request.bindParameters(BapSshHostConfiguration.class, ""); hostConfig.setCommonConfig(request.bindParameters(BapSshCommonConfiguration.class, "common.")); return validateConnection(hostConfig, createDummyBuildInfo());
21bf41adbce9[SECURITY-2290] add missing @RequirePOST
3 files changed · +6 −0
src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java+2 −0 modified@@ -37,6 +37,7 @@ import jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.Stapler; +import org.kohsuke.stapler.interceptor.RequirePOST; import java.io.IOException; @@ -73,6 +74,7 @@ public FormValidation doCheckKeyPath(@QueryParameter final String value) { } } + @RequirePOST public FormValidation doTestConnection(@QueryParameter final String configName, @QueryParameter final String username, @QueryParameter final String encryptedPassphrase, @QueryParameter final String key, @QueryParameter final String keyPath) {
src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java+2 −0 modified@@ -35,6 +35,7 @@ import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; +import org.kohsuke.stapler.interceptor.RequirePOST; @Extension public class BapSshHostConfigurationDescriptor extends Descriptor<BapSshHostConfiguration> { @@ -84,6 +85,7 @@ public FormValidation doCheckKeyPath(@QueryParameter final String value) { return BPValidators.validateFileOnMaster(value); } + @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { final BapSshPublisherPlugin.Descriptor pluginDescriptor; Jenkins j = Jenkins.getInstanceOrNull();
src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java+2 −0 modified@@ -53,6 +53,7 @@ import jenkins.plugins.publish_over_ssh.options.SshDefaults; import jenkins.plugins.publish_over_ssh.options.SshPluginDefaults; import net.sf.json.JSONObject; +import org.kohsuke.stapler.interceptor.RequirePOST; @SuppressWarnings("PMD.TooManyMethods") public class BapSshPublisherPluginDescriptor extends BuildStepDescriptor<Publisher> { @@ -190,6 +191,7 @@ public jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages getCom return new jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages(); } + @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { final BapSshHostConfiguration hostConfig = request.bindParameters(BapSshHostConfiguration.class, ""); hostConfig.setCommonConfig(request.bindParameters(BapSshCommonConfiguration.class, "common."));
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vc4r-j8j6-3fp6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23112ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/12/6ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/publish-over-ssh-plugin/commit/21bf41adbce9e71d3f77e113e29bf81d437cadc3ghsaWEB
- github.com/jenkinsci/publish-over-ssh-plugin/commit/c2e5ad99da6de4b9152ae0691f112145358a5666ghsaWEB
- www.jenkins.io/security/advisory/2022-01-12/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.