CVE-2022-28151

Vulnerability

Jenkins Job and Node ownership Plugin 0.13.0 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to change the owners and item-specific permissions of a job. The affected plugin versions are all prior to the fix, which was not included in a released version as of the security advisory [1][2].

Exploitation

An attacker who has Item/Read permission on a Jenkins job (obtainable through the default permissions or by being granted that level of access) can send crafted HTTP requests to the plugin's endpoint to modify job ownership and item-specific permissions without needing any additional authorization. No special network position or user interaction is required beyond being an authenticated Jenkins user with Item/Read access [1][2].

Impact

Successful exploitation allows the attacker to change the owner of a job and adjust item-specific permissions (e.g., granting themselves Write or Configure access). This can lead to unauthorized manipulation of job configurations and potentially to further compromise of the Jenkins environment. The attacker may gain elevated privileges on jobs they previously had limited access to [1][2].

Mitigation

As of the security advisory published on 2022-03-29, no fixed version of the Jenkins Job and Node ownership Plugin was available. The advisory notes that the issue remains unresolved [1][2]. Users are advised to restrict Item/Read permission for untrusted users, monitor for any unexpected permission changes, and consider disabling the plugin if not required. No workaround other than access control restrictions has been documented.