CVE-2022-30957

Vulnerability

Jenkins SSH Plugin 2.6.1 and earlier does not perform a permission check when accessing a method that enumerates credentials. This missing check allows attackers with Overall/Read permission to obtain credential IDs stored in Jenkins. The vulnerability is distinct from other issues disclosed in the same advisory [1][2].

Exploitation

An attacker only needs Overall/Read permission, which is a low-privilege permission typically granted to many users in Jenkins environments. No additional authentication or user interaction is required. The attacker can directly call the affected method to retrieve the list of credential IDs [1][2].

Impact

Successful exploitation results in the disclosure of credential IDs, which are sensitive identifiers. While the attacker does not obtain the actual credential secrets, knowing the IDs can facilitate further targeted attacks or credential theft if combined with other vulnerabilities. The CIA impact is limited to confidentiality of credential metadata [1][3].

Mitigation

Jenkins SSH Plugin version 2.6.1 is the last affected version; a fix is not yet available as of the advisory date (2022-05-17). As a workaround, administrators should restrict Overall/Read permissions to only trusted users. The plugin is also listed as having an unresolved security issue in the advisory [1][2]. No fix version has been released, and the plugin may be considered end-of-life or unmaintained.