CVE-2022-25193

Vulnerability

The Jenkins Snow Commander Plugin, versions 1.10 and earlier, fails to perform proper permission checks. This allows attackers who have at least Overall/Read permission to exploit the plugin's functionality to connect to an attacker-specified webserver using attacker-specified credentials IDs. The credentials IDs must be obtained through another method (e.g., other vulnerabilities). The plugin version range affected is up to and including 1.10 [1][2].

Exploitation

An attacker with Overall/Read permission in Jenkins can trigger the plugin to connect to a webserver they control. They need to know or guess credential IDs (which they may obtain through other means, e.g., other vulnerabilities or information disclosure). The attacker can then capture the sensitive credentials stored in Jenkins by making the plugin send them to the attacker's server.

Impact

Successful exploitation allows the attacker to capture credentials stored in Jenkins through the plugin's connection to an attacker-specified server. This leads to unauthorized access to the credentials, potentially compromising the CIA triad of the Jenkins environment and other systems using those credentials.

Mitigation

The Jenkins Security Advisory recommends upgrading to a fixed version. According to the advisory, the issue is fixed in Snow Commander Plugin version 2.0 (released November 1, 2021) [3]. Users should upgrade to version 2.0 or later. No workaround is provided. If upgrade is not possible, restrict Overall/Read permissions to trusted users.