Moderate severityNVD Advisory· Published Feb 15, 2022· Updated Oct 15, 2024
CVE-2022-25190
CVE-2022-25190
Description
A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.conjur.jenkins:conjur-credentialsMaven | < 1.0.12 | 1.0.12 |
Affected products
1- Range: unspecified
Patches
1eda06cde26cdFix for SECURITY-2350
5 files changed · +8 −4
src/main/java/org/conjur/jenkins/api/ConjurAPI.java+2 −2 modified@@ -9,16 +9,16 @@ import java.util.logging.Level; import java.util.logging.Logger; +import com.cloudbees.hudson.plugins.folder.AbstractFolder; import com.cloudbees.plugins.credentials.CredentialsMatchers; import com.cloudbees.plugins.credentials.CredentialsProvider; import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials; import com.cloudbees.plugins.credentials.domains.DomainRequirement; -import com.cloudbees.hudson.plugins.folder.AbstractFolder; import org.conjur.jenkins.configuration.ConjurConfiguration; import org.conjur.jenkins.configuration.ConjurJITJobProperty; -import org.conjur.jenkins.configuration.GlobalConjurConfiguration; import org.conjur.jenkins.configuration.FolderConjurConfiguration; +import org.conjur.jenkins.configuration.GlobalConjurConfiguration; import org.conjur.jenkins.jwtauth.impl.JwtToken; import hudson.model.AbstractItem;
src/main/java/org/conjur/jenkins/conjursecrets/ConjurSecretCredentialsDescriptor.java+2 −0 modified@@ -10,6 +10,7 @@ import hudson.model.Item; import hudson.security.ACL; import hudson.util.ListBoxModel; +import jenkins.model.Jenkins; //@Extension public class ConjurSecretCredentialsDescriptor extends CredentialsDescriptor { @@ -20,6 +21,7 @@ public String getDisplayName() { } public ListBoxModel doFillCredentialIDItems(@AncestorInPath final Item item, @QueryParameter final String uri) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); return new StandardListBoxModel().includeAs(ACL.SYSTEM, item, ConjurSecretCredentials.class, URIRequirementBuilder.fromUri(uri).build()); }
src/main/java/org/conjur/jenkins/conjursecrets/ConjurSecretCredentialsImpl.java+0 −1 modified@@ -19,7 +19,6 @@ import hudson.Extension; import hudson.model.ModelObject; -import hudson.remoting.Channel; import hudson.util.Secret; import okhttp3.OkHttpClient;
src/main/java/org/conjur/jenkins/conjursecrets/ConjurSecretUsernameCredentialsImpl.java+2 −1 modified@@ -22,6 +22,7 @@ import hudson.security.ACL; import hudson.util.ListBoxModel; import hudson.util.Secret; +import jenkins.model.Jenkins; @NameWith(value = ConjurSecretCredentials.NameProvider.class, priority = 1) @@ -94,7 +95,7 @@ public String getDisplayName() { } public ListBoxModel doFillCredentialIDItems(@AncestorInPath final Item item, @QueryParameter final String uri) { - LOGGER.log(Level.FINE, "CONJUR SECRET CREDENTIALS DESCRIPTor"); + Jenkins.get().checkPermission(Jenkins.ADMINISTER); return new StandardListBoxModel().includeAs(ACL.SYSTEM, item, ConjurSecretCredentials.class, URIRequirementBuilder.fromUri(uri).build()); }
src/main/java/org/conjur/jenkins/conjursecrets/ConjurSecretUsernameSSHKeyCredentialsImpl.java+2 −0 modified@@ -24,6 +24,7 @@ import hudson.security.ACL; import hudson.util.ListBoxModel; import hudson.util.Secret; +import jenkins.model.Jenkins; public class ConjurSecretUsernameSSHKeyCredentialsImpl extends BaseSSHUser @@ -96,6 +97,7 @@ public String getDisplayName() { } public ListBoxModel doFillCredentialIDItems(@AncestorInPath final Item item, @QueryParameter final String uri) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); return new StandardListBoxModel().includeAs(ACL.SYSTEM, item, ConjurSecretCredentials.class, URIRequirementBuilder.fromUri(uri).build()); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-372f-jc47-7gr5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25190ghsaADVISORY
- github.com/jenkinsci/conjur-credentials-plugin/commit/eda06cde26cdf2d40ae4e2f4d2709e8174489068ghsaWEB
- www.jenkins.io/security/advisory/2022-02-15/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.