CVE-2022-34210

The ThreadFix Plugin for Jenkins, versions 1.5.4 and earlier, contains a missing permission check vulnerability [1]. The plugin fails to verify that a user has the necessary permissions before allowing them to connect to an attacker-specified URL, meaning any user with the Overall/Read permission can trigger this functionality [2].

An attacker with Overall/Read access can exploit this by configuring the plugin to connect to an arbitrary URL. This can be done through the plugin's configuration interface or by triggering a build step that invokes the vulnerable code path. No additional authentication or privileges are required beyond the default Overall/Read permission granted to many Jenkins users [1][2].

The impact of this vulnerability is that an attacker can force the Jenkins server to make HTTP connections to any URL of their choosing. This could be used to perform server-side request forgery (SSRF) attacks, allowing the attacker to scan internal networks, access cloud metadata endpoints (e.g., AWS, GCP), or interact with other internal services. The attacker could also use this to exfiltrate data to an external server under their control [1].

Jenkins has released an advisory for this issue, assigned SECURITY-2249, and the fix is included in ThreadFix Plugin version 1.5.5 and later [1]. Users are strongly advised to update to the latest version. The plugin is not maintained by Denim Group, but the Jenkins project has provided a patched release [3]. No workarounds have been documented.