CVE-2022-34212
Description
Jenkins vRealize Orchestrator Plugin 3.0 and earlier lacks a permission check, letting attackers with Overall/Read permission send POST requests to arbitrary URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins vRealize Orchestrator Plugin 3.0 and earlier lacks a permission check, letting attackers with Overall/Read permission send POST requests to arbitrary URLs.
Vulnerability
Details
CVE-2022-34212 is a missing permission check in Jenkins vRealize Orchestrator Plugin version 3.0 and earlier. The plugin fails to verify that a user has the necessary permissions to trigger an HTTP POST request to a user-specified URL, allowing any user with Overall/Read access to exploit this flaw [1].
Attack
Vector
An attacker with Overall/Read permission (a relatively low privilege) can craft a request that causes the plugin to send an HTTP POST to an arbitrary URL controlled by the attacker. This can be used to perform server-side request forgery (SSRF) attacks against internal networks or to exfiltrate data to external servers [3].
Impact
Successful exploitation could allow an attacker to interact with internal systems that are otherwise inaccessible from the public internet, potentially leading to further compromise of the Jenkins environment or associated infrastructure.
Mitigation
The issue has been fixed in a subsequent release of the plugin. Users should upgrade to a version later than 3.0. The Jenkins security advisory provides details on the fix [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:vmware-vrealize-orchestratorMaven | <= 3.0 | — |
Affected products
2- Jenkins project/Jenkins vRealize Orchestrator Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-35r9-gfqf-r6cwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34212ghsaADVISORY
- www.jenkins.io/security/advisory/2022-06-22/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.