CVE-2022-25201

Vulnerability

Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier [1][2] allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method. The plugin fails to validate that the user initiating the connection has the necessary permissions to use the referenced credentials, enabling credential exfiltration.

Exploitation

An attacker must have Overall/Read permission on the Jenkins instance and possess a valid credentials ID (obtained via a separate vulnerability or enumeration) [1]. The attacker can then trigger the plugin to connect to an external webserver of their choice, supplying the credentials ID as part of the request. The plugin will use the stored Jenkins credentials to authenticate to the attacker's server, effectively capturing the credential values [1][2].

Impact

Successful exploitation allows the attacker to capture credentials stored in Jenkins, potentially leading to further compromise of the Jenkins instance or integrated systems [1][2]. The attacker gains access to the credential plaintext, which can then be used for lateral movement, privilege escalation, or accessing protected resources.

Mitigation

Jenkins released Checkmarx Plugin version 2022.1.3, which includes proper permission checks to prevent unauthenticated credential usage [4]. Users should upgrade to version 2022.1.3 or later. There is no viable workaround if upgrade is not possible, as disabling the plugin or restricting the Overall/Read permission may impact functionality [1].