CVE-2022-27215
Description
A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Release Helper Plugin 1.3.3 and earlier lacks a permission check, allowing attackers with Overall/Read to make authenticated requests to arbitrary URLs.
Vulnerability
The Jenkins Release Helper Plugin versions 1.3.3 and earlier contain a missing permission check in an unspecified endpoint. This allows users with only Overall/Read permission (the lowest permission level) to trigger a connection to an attacker-specified URL using attacker-specified credentials. The plugin does not require a higher permission like Overall/Administer or Job/Configure for this action. [1][2]
Exploitation
An attacker with Overall/Read access to a Jenkins instance can craft a request to the vulnerable plugin endpoint, specifying an arbitrary URL and credentials. The plugin will then attempt to connect to that URL using the provided credentials. No additional privileges or user interaction are required. [1]
Impact
Successful exploitation allows the attacker to use the Jenkins server as a proxy to make authenticated requests to external or internal systems. This could lead to information disclosure, lateral movement, or further compromise of systems reachable from the Jenkins controller. The attacker controls both the target URL and the credentials used. [1][3]
Mitigation
As of the advisory date (2022-03-15), no fix has been released for the Release Helper Plugin. The plugin is listed as having an unresolved security issue. Users should restrict Overall/Read access to trusted users only, or consider disabling the plugin if not needed. Monitor for updates from the plugin maintainer. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:release-helperMaven | <= 1.3.3 | — |
Affected products
3- Range: <=1.3.3
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-p9gq-76fj-4p4pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-27215ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/03/15/2ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-03-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-03-15Jenkins Security Advisories · Mar 15, 2022