CVE-2022-34779
Description
A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins XebiaLabs XL Release Plugin allows attackers with Overall/Read to enumerate credential IDs.
Vulnerability
Description CVE-2022-34779 is a missing permission check in the Jenkins XebiaLabs XL Release Plugin versions 22.0.0 and earlier. The plugin fails to properly verify permissions when accessing a certain endpoint, allowing users with only Overall/Read permission to enumerate credentials IDs of stored credentials [1][3].
Exploitation
An attacker needs Overall/Read permission, which is typically granted to low-privileged users or can be obtained through other means. The attacker can exploit this by sending a crafted request to the vulnerable endpoint, without needing any further authorization [1]. No special network position is required beyond access to the Jenkins instance.
Impact
Successful exploitation allows an attacker to retrieve a list of credential IDs stored in Jenkins. While credential IDs alone do not expose the secret values, they can be used in further attacks, such as cross-site request forgery or credential reuse, to potentially compromise the Jenkins environment [1][3].
Mitigation
The vulnerability is fixed in XebiaLabs XL Release Plugin version 22.0.1 or later. Users should upgrade to the latest version. As a workaround, administrators can restrict Overall/Read permission to trusted users only [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.xebialabs.ci:xlrelease-pluginMaven | < 22.0.1 | 22.0.1 |
Affected products
3- Range: <=22.0.0
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-7c8f-m389-4xjcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34779ghsaADVISORY
- www.jenkins.io/security/advisory/2022-06-30/mitrex_refsource_CONFIRM
- www.jenkins.io/security/advisory/2022-06-30/ghsaWEB
News mentions
0No linked articles in our index yet.