CVE-2022-27211

Vulnerability

Jenkins Kubernetes Continuous Deploy Plugin versions 2.3.1 and earlier contain a missing permission check vulnerability. The plugin allows users with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, thereby capturing credentials stored in Jenkins. [1][2]

Exploitation

An attacker must have Overall/Read permission on the Jenkins instance. The attacker must also obtain valid credentials IDs through a separate vulnerability or method. The attacker can then configure the plugin to connect to an attacker-controlled SSH server, and the plugin will supply credentials associated with those IDs, allowing the attacker to capture them. [1]

Impact

Successful exploitation enables the attacker to capture credentials stored in Jenkins, including potentially sensitive secrets. This could lead to further compromise of Jenkins and its connected systems. [1]

Mitigation

As of the advisory date (2022-03-15), no fix was available for the Kubernetes Continuous Deploy Plugin. The plugin's distribution was suspended on 23 Aug 2022 due to an unresolved remote code execution vulnerability. Users should ensure that only trusted users have Overall/Read permission and consider removing or disabling the plugin if not needed. [3]