CVE-2022-28142

Vulnerability

Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues [1][2]. This means that if the plugin's configuration option to ignore SSL/TLS issues is enabled, the entire JVM's SSL/TLS certificate validation is turned off, affecting all HTTPS connections made by the Jenkins controller, not just those to Proxmox.

Exploitation

An attacker with network access to the Jenkins controller can exploit this by performing a man-in-the-middle attack on any HTTPS connection initiated by the controller [1]. No authentication or user interaction is required beyond the plugin being configured to ignore SSL/TLS issues. The attacker can intercept and modify traffic to and from any external service that the Jenkins controller communicates with over HTTPS.

Impact

Successful exploitation allows an attacker to intercept, read, and modify sensitive data transmitted over HTTPS by the Jenkins controller, including credentials, API tokens, and build artifacts [1]. This compromises the confidentiality, integrity, and availability of the Jenkins environment and any connected systems.

Mitigation

The vulnerability is fixed in Proxmox Plugin versions 0.7.0 and later [1][2]. Users should upgrade to 0.7.0 or higher immediately. If upgrading is not possible, avoid enabling the "Ignore SSL/TLS issues" option in the plugin configuration. The fixed versions were released on 2022-03-29 [1].