VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 29, 2022· Updated Aug 3, 2024

CVE-2022-28139

CVE-2022-28139

Description

Jenkins RocketChat Notifier Plugin 1.4.10 and earlier lacks a permission check in the doTestConnection endpoint, allowing attackers with Overall/Read to connect to arbitrary URLs with arbitrary credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins RocketChat Notifier Plugin 1.4.10 and earlier lacks a permission check in the doTestConnection endpoint, allowing attackers with Overall/Read to connect to arbitrary URLs with arbitrary credentials.

Vulnerability

The Jenkins RocketChat Notifier Plugin versions 1.4.10 and earlier contain a missing permission check in the doTestConnection method of the RocketChatNotifier.DescriptorImpl class [1][2]. This endpoint is used to test the connection to a RocketChat server by providing a URL and credentials. The code path is reachable without requiring the Overall/Administer permission, which is normally needed for such configuration testing. The affected plugin does not enforce access control, allowing any user with the Overall/Read permission to invoke this endpoint [3].

Exploitation

An attacker with Overall/Read permission (granted to most authenticated Jenkins users by default) can craft a POST request to the doTestConnection endpoint. The attacker supplies a URL pointing to an attacker-controlled server (e.g., using HTTP or HTTPS) and provides arbitrary credentials (username, password, token, or webhook token). The Jenkins server then makes an HTTP connection to that URL using the supplied credentials. No user interaction beyond the attacker issuing the request is required; the attacker does not need to be authenticated as an administrator [1][3].

Impact

Successful exploitation allows the attacker to trigger Jenkins to connect to any URL, potentially exfiltrating credentials or conducting server-side request forgery (SSRF) attacks. The attacker can use the Jenkins server as a proxy to probe internal network resources, access cloud metadata endpoints, or send data to an attacker-controlled service with attacker-chosen credentials. The privilege level required is low (Overall/Read), making this a medium-severity issue that could lead to information disclosure and network reconnaissance [1][3].

Mitigation

The vulnerability is fixed in RocketChat Notifier Plugin version 1.5.0, released on 2022-03-29 [2]. The fix (commit 1a0023b) adds @RequirePOST and a Jenkins.get().checkPermission(Jenkins.ADMINISTER) check to the doTestConnection method, ensuring only administrators can perform connection tests [4]. Users should upgrade to version 1.5.0 or later. If upgrade is not immediately possible, administrators can revoke Overall/Read permission from untrusted users, though this may impact normal operations. The plugin is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].

References
  1. Jenkins Security Advisory 2022-03-29
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. NVD - CVE-2022-28139
  4. feat(Security): Improve credential handling · jenkinsci/rocketchatnotifier-plugin@1a0023b

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:rocketchatnotifierMaven
< 1.5.01.5.0

Affected products

2

Patches

1
1a0023be9f2e

feat(Security): Improve credential handling

https://github.com/jenkinsci/rocketchatnotifier-pluginMartin ReinhardtMar 19, 2022via ghsa
commit
1 file changed · +3 0
  • src/main/java/jenkins/plugins/rocketchatnotifier/RocketChatNotifier.java+3 0 modified
    @@ -30,6 +30,7 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.export.Exported;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.net.ssl.SSLHandshakeException;
 import java.io.IOException;
@@ -578,6 +579,7 @@ public String getDisplayName() {
       return "RocketChat Notifications";
     }
 
+    @RequirePOST
     public FormValidation doTestConnection(@QueryParameter("rocketServerUrl") final String rocketServerUrl,
                                            @QueryParameter("trustSSL") final String trustSSL,
                                            @QueryParameter("username") final String username,
@@ -586,6 +588,7 @@ public FormValidation doTestConnection(@QueryParameter("rocketServerUrl") final
                                            @QueryParameter("buildServerUrl") final String buildServerUrl,
                                            @QueryParameter("webhookToken") final String token,
                                            @QueryParameter("webhookTokenCredentialId") final String webhookTokenCredentialId) throws FormException {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER);
       try {
         String targetServerUrl = rocketServerUrl + RocketClientImpl.API_PATH;
         if (StringUtils.isEmpty(rocketServerUrl)) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1