High severityNVD Advisory· Published Feb 15, 2022· Updated Aug 3, 2024

CVE-2022-25199

Description

A missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing permission check in Jenkins SCP publisher Plugin ≤1.8 allows attackers with Overall/Read to connect to attacker-controlled SSH server with attacker credentials.

Vulnerability

The Jenkins SCP publisher Plugin versions 1.8 and earlier lack a permission check, allowing attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials. This is due to a missing permission check in the plugin's functionality. [1][2]

Exploitation

An attacker with Overall/Read permission can trigger the plugin to connect to any SSH server they specify, using credentials they provide. No additional authentication or user interaction is required beyond having Overall/Read access. [1]

Impact

Successful exploitation allows the attacker to make the Jenkins controller initiate SSH connections to arbitrary servers, potentially leaking information or facilitating further attacks. However, the exact impact depends on the network configuration and attacker's goals. [1]

Mitigation

The plugin is deprecated and no longer maintained. The last release was in January 2011. Users should remove the plugin or replace it with alternative functionality. No fix will be provided. [1][3]

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:scpMaven	<= 1.8	—

Affected products

Jenkins Project/S3 publisher Pluginllm-fuzzy2 versions
<=1.8+ 1 more
- (no CPE)range: <=1.8
- (no CPE)range: unspecified
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/scp
Range: <= 1.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-vj3j-8m6x-mjq6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-25199ghsaADVISORY
www.jenkins.io/security/advisory/2022-02-15/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2022-02-15
Jenkins Security Advisories · Feb 15, 2022

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000