CVE-2022-25211

Vulnerability

The Jenkins SWAMP Plugin version 1.2.6 and earlier contains a missing permission check. The plugin does not verify that the user has the required permissions before allowing connections to external web servers. This allows any user with Overall/Read permission to trigger the plugin to connect to an attacker-specified web server using attacker-specified credentials. [1][3]

Exploitation

An attacker needs only Overall/Read permission on a Jenkins instance where the SWAMP Plugin is installed. No additional privileges or user interaction are required. The attacker can craft a request that causes the plugin to connect to an arbitrary web server of their choice, supplying any credentials they wish. [1]

Impact

Successful exploitation enables the attacker to use the Jenkins controller as a proxy to connect to external servers, potentially exfiltrating sensitive data or performing reconnaissance. The attacker can also supply credentials, which could be used to authenticate to the target server. This is a server-side request forgery (SSRF) vulnerability with information disclosure risk. [1]

Mitigation

As of the Jenkins Security Advisory published on 2022-02-15, no fixed version of the SWAMP Plugin was available. Users should monitor the Jenkins plugin update site for a patched release. As a workaround, restrict Overall/Read permission to trusted users only. [1][3]