CVE-2022-28158
Description
A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credential IDs via an HTTP endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credential IDs via an HTTP endpoint.
Vulnerability
A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin versions 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs. The vulnerability exists in the plugin's HTTP endpoint that exposes credential IDs without proper authorization verification [1][2][3].
Exploitation
An attacker must have at least Overall/Read permission in Jenkins to exploit this vulnerability. No other privileges or user interaction are required. The attacker can simply access the vulnerable HTTP endpoint to retrieve a list of stored credential IDs [1][2].
Impact
Successful exploitation leads to information disclosure, as the attacker can enumerate credentials IDs stored in Jenkins. While the actual credential values are not exposed, knowledge of credential IDs can facilitate further attacks such as exploiting other vulnerabilities that accept credentials IDs as parameters [1][2][3].
Mitigation
No fix has been released for Pipeline: Phoenix AutoTest Plugin as of the publication date. The plugin is listed among unresolved security issues in the Jenkins Security Advisory 2022-03-29. Users should limit access to Jenkins to trusted users only and consider removing the plugin if not required [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.surenpi.jenkins:phoenix-autotestMaven | <= 1.3 | — |
Affected products
2- Jenkins project/Jenkins Pipeline: Phoenix AutoTest Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-4c7h-f2j9-9c46ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28158ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/03/29/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-03-29/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-03-29Jenkins Security Advisories · Mar 29, 2022