CVE-2022-28147
Description
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier lacks a permission check, allowing attackers with Overall/Read permission to probe for arbitrary file paths on the controller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier lacks a permission check, allowing attackers with Overall/Read permission to probe for arbitrary file paths on the controller.
Vulnerability
A missing permission check in the Jenkins Continuous Integration with Toad Edge Plugin, versions 2.3 and earlier, enables attackers who have Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system [1][2][3]. The plugin does not perform any additional authorization when handling the file path existence check endpoint, making the code path reachable by any user with the minimal Overall/Read permission.
Exploitation
An attacker needs only to have Overall/Read permission on the Jenkins instance, which is a default permission for many users. No additional authentication or write access is required. The attacker can send a crafted request with an arbitrary file path to the vulnerable endpoint. The plugin then internally checks for the file's existence and returns a response indicating whether the path exists [1][3]. No user interaction or race condition is needed.
Impact
On success, the attacker can probe for the existence of arbitrary files and directories on the Jenkins controller file system. This is an information disclosure vulnerability that reveals whether a given file path exists, potentially aiding in reconnaissance for further attacks. The attacker does not gain the ability to read file contents or modify files. The compromise is limited to existence checking but can expose critical information such as the presence of credentials files, configuration files, or other sensitive paths [1][3].
Mitigation
Continuous Integration with Toad Edge Plugin version 2.4 fixes the missing permission check by adding proper authorization [1][2]. Users should upgrade to version 2.4 or later immediately. No workarounds are available, as the vulnerable endpoint cannot be disabled without upgrading. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:ci-with-toad-edgeMaven | < 2.4 | 2.4 |
Affected products
2- Jenkins project/Jenkins Continuous Integration with Toad Edge Pluginv5Range: unspecified
Patches
12b65d62ebb71{SECURITY-2635}
1 file changed · +2 −0
src/main/java/ci/with/toad/edge/MainConfiguration.java+2 −0 modified@@ -18,6 +18,7 @@ import java.io.File; +import jenkins.model.Jenkins; import org.jvnet.localizer.Localizable; import org.jvnet.localizer.ResourceBundleHolder; import org.kohsuke.stapler.QueryParameter; @@ -83,6 +84,7 @@ public String getLibs() { * message will be displayed to the user. */ public FormValidation doCheckLibs(@QueryParameter String value) { + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); FormValidation emptyValidation = FormValidationUtil.doCheckEmptyValue(value, new Localizable(ResourceBundleHolder.get(MainConfiguration.class), "LibrariesFolder").toString()); if (emptyValidation != FormValidation.ok()) { return emptyValidation;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-8hh2-rxm8-7fj8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28147ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/03/29/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/ci-with-toad-edge-plugin/commit/2b65d62ebb71ec727097aa409c623f9c7c3b2792ghsaWEB
- www.jenkins.io/security/advisory/2022-03-29/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-03-29Jenkins Security Advisories · Mar 29, 2022