CVE-2022-28144

Vulnerability

Jenkins Proxmox Plugin versions 0.7.0 and earlier fail to perform permission checks in several HTTP endpoints. Attackers with Overall/Read permission can use these endpoints to connect to an attacker-specified host with attacker-specified credentials, disable SSL/TLS validation for the entire Jenkins controller JVM as part of a connection test, and test a rollback with attacker-specified parameters [1][2][3].

Exploitation

An attacker needs only Overall/Read permission on the Jenkins instance, a commonly granted low-privilege permission. The attacker can invoke the vulnerable HTTP endpoints without further authentication, specifying a target host, username, password, and optional SSL/TLS disabling. The connection test and rollback test can be triggered directly via crafted HTTP requests [1][3].

Impact

Successful exploitation allows an attacker to connect Jenkins to an arbitrary server using attacker-controlled credentials (potential credential exposure), disable SSL/TLS certificate validation for the entire Jenkins controller JVM during the test (compromising future encrypted communications), and execute rollback tests with attacker-defined parameters. This could lead to information disclosure, exfiltration of data, or disruption of builds [1][3].

Mitigation

Jenkins Proxmox Plugin version 0.7.1 (released 2022-03-29) adds proper permission checks to the affected endpoints [2]. Users should upgrade to 0.7.1 or later. As a workaround, if the plugin cannot be upgraded, administrators should revoke Overall/Read access from untrusted users or disable the plugin entirely [1][2].