CVE-2022-30959

Vulnerability

Jenkins SSH Plugin 2.6.1 and earlier lacks a permission check, allowing attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method [1][2]. This vulnerability affects all versions up to and including 2.6.1.

Exploitation

An attacker must have Overall/Read permission in Jenkins and obtain a credentials ID (e.g., through another vulnerability or enumeration). The attacker then uses the SSH Plugin to initiate a connection to an attacker-controlled SSH server with that credentials ID, causing Jenkins to transmit the stored credential [1][2].

Impact

Successful exploitation captures the credential stored in Jenkins corresponding to the provided ID, leading to unauthorized access to systems protected by that credential [1][2]. The attacker gains the stored secret, which can be reused elsewhere.

Mitigation

Not yet explicitly disclosed in the available references. Jenkins Security Advisory 2022-05-17 likely provides a fixed version; consult the advisory for details [1]. As of the provided information, no workaround is mentioned.