CVE-2022-25195
Description
Missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read to connect to an attacker-specified URL with attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read to connect to an attacker-specified URL with attacker-specified credentials.
Vulnerability
A missing permission check in the Jenkins autonomiq Plugin version 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. The plugin fails to perform proper access control checks on several doFill* form fill methods that list projects, test suites, and other items. Affected versions include all releases up to and including 1.15. [1][3]
Exploitation
An attacker with only Overall/Read permission can craft HTTP requests to the vulnerable doFillProjectItems, doFillPlatformTestCasesItems, doFillPlatformTestSuitesItems, doFillBrowserTestCasesItems, and doFillBrowserTestSuitesItems endpoints. By supplying arbitrary aiqUrl, login, and password parameters, the attacker can cause the Jenkins controller to connect to an attacker-controlled server using those credentials. The fix adds the @POST annotation and a Jenkins.get().checkPermission(Jenkins.ADMINISTER) check, indicating that previously no permission was required. [3]
Impact
An attacker can make the Jenkins controller connect to an attacker-specified URL using attacker-specified credentials, potentially leading to credential disclosure or server-side request forgery (SSRF). Since the attacker supplies the credentials, this could also be used to verify credential pairs against external services or exfiltrate data through the URL. [1][2]
Mitigation
Update to autonomiq Plugin version 1.16 or later, released on February 15, 2022, which adds proper permission checks and CSRF protection to the affected endpoints. No workaround is available. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1][3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:autonomiqMaven | < 1.16 | 1.16 |
Affected products
2- Jenkins project/Jenkins autonomiq Pluginv5Range: unspecified
Patches
1e06b1ff67664added permission and csrf protection
1 file changed · +17 −0
src/main/java/io/jenkins/plugins/autonomiq/AutonomiqBuilder.java+17 −0 modified@@ -653,6 +653,7 @@ public String getDisplayName() { } @SuppressWarnings("unused") + @POST public ListBoxModel doFillProjectItems(@QueryParameter String aiqUrl, @QueryParameter String login, @QueryParameter Secret password, @@ -661,6 +662,8 @@ public ListBoxModel doFillProjectItems(@QueryParameter String aiqUrl, @QueryParameter String proxyUser, @QueryParameter Secret proxyPassword, @QueryParameter Boolean httpProxy) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + // make sure other fields have been filled in if (aiqUrl.length() > 0 && login.length() > 0 && Secret.toString(password).length() > 0) { @@ -681,7 +684,10 @@ public ListBoxModel doFillProjectItems(@QueryParameter String aiqUrl, } @SuppressWarnings("unused") + @POST public ListBoxModel doFillPlatformTestCasesItems() { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + String[] values = {"Linux"}; //, "Windows"}; @@ -690,7 +696,10 @@ public ListBoxModel doFillPlatformTestCasesItems() { return new ListBoxModel(options); } @SuppressWarnings("unused") + @POST public ListBoxModel doFillPlatformTestSuitesItems() { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + String[] values = {"Linux"}; //, "Windows"}; @@ -701,7 +710,10 @@ public ListBoxModel doFillPlatformTestSuitesItems() { @SuppressWarnings("unused") + @POST public ListBoxModel doFillBrowserTestCasesItems() { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + String[] values = {"Chrome", "Firefox"}; @@ -710,7 +722,9 @@ public ListBoxModel doFillBrowserTestCasesItems() { return new ListBoxModel(options); } @SuppressWarnings("unused") + @POST public ListBoxModel doFillBrowserTestSuitesItems() { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); String[] values = {"Chrome", "Firefox"}; @@ -720,7 +734,10 @@ public ListBoxModel doFillBrowserTestSuitesItems() { } @SuppressWarnings("unused") + @POST public ListBoxModel doFillExecutionModeItems() { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + String[] values = {"serial", "parallel"};
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-6jv7-28mv-qp9cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25195ghsaADVISORY
- github.com/jenkinsci/autonomiq-plugin/commit/e06b1ff67664a90819c9561bbc12f4c6e593d1dcghsaWEB
- www.jenkins.io/security/advisory/2022-02-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-02-15Jenkins Security Advisories · Feb 15, 2022