CVE-2022-27209

Vulnerability

A missing permission check in the Jenkins Kubernetes Continuous Deploy Plugin version 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins [1][4]. The plugin fails to verify that the user has the necessary permission to view credential IDs, making the issue reachable from any job or view that uses the plugin's functionality.

Exploitation

An attacker needs only the built-in Overall/Read permission, which is typically granted to low-privileged users. By interacting with the plugin's endpoints (e.g., form validation or credential listing), the attacker can enumerate credential IDs without any additional authorization. No specific authentication or user interaction beyond having Overall/Read is required.

Impact

Successful exploitation results in information disclosure of credential IDs. While the actual credential values are not exposed, knowledge of IDs can aid in further attacks, such as identifying which credentials are available or targeting specific credentials in subsequent exploitation. The plugin distribution was later suspended due to unresolved remote code execution vulnerability SECURITY-2448 [3], but for this CVE, the impact is limited to enumeration.

Mitigation

No official patch for CVE-2022-27209 has been released. The Jenkins Security Advisory 2022-03-15 notes that the vulnerability is unresolved [1][2]. As a workaround, administrators can restrict Overall/Read permission to trusted users only. As of 23 August 2022, distribution of the plugin has been suspended due to an unrelated RCE vulnerability [3], so no future updates are expected unless the plugin is adopted and fixed.