CVE-2022-27199
Description
Missing permission check in Jenkins CloudBees AWS Credentials Plugin allows attackers with Overall/Read to connect to AWS using attacker-specified token.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins CloudBees AWS Credentials Plugin allows attackers with Overall/Read to connect to AWS using attacker-specified token.
Vulnerability
CloudBees AWS Credentials Plugin versions 189.v3551d5642995 and earlier lack a permission check when connecting to an AWS service. This allows any user with the Overall/Read permission to specify an arbitrary AWS token and initiate a connection to an AWS service [1][3].
Exploitation
An attacker needs only the Overall/Read permission, which is a low-privilege access level in Jenkins. No additional authentication or user interaction is required. The attacker can supply a token of their choice and trigger a connection to an AWS service [1].
Impact
Successful exploitation enables the attacker to connect to an AWS service using a token they control. Depending on the token's permissions, this could lead to unauthorized access to AWS resources, potentially compromising confidentiality and integrity of data stored in or managed by those services [1][3].
Mitigation
The vulnerability is fixed in CloudBees AWS Credentials Plugin version 191.vcb_f183ce58b_9, released on 2022-03-15 [2]. Users should upgrade to this version or later. No workaround is documented [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:aws-credentialsMaven | < 191.vcb_f183ce58b_9 | 191.vcb_f183ce58b_9 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-m9gv-4523-jffmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-27199ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/03/15/2ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-03-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-03-15Jenkins Security Advisories · Mar 15, 2022