CVE-2022-34781

Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. The plugin does not properly validate that the user has the necessary permissions to use the specified credentials, leading to an unauthorized credential capture [1][2].

An attacker must first have Overall/Read permission in Jenkins, which is typically a low-privilege access level. The attacker then provides a malicious HTTP server endpoint and a credential ID (obtained through other means, such as another vulnerability or configuration inspection). The plugin will then use the provided credential to connect to the attacker's server, effectively sending the stored credential value to an external location controlled by the attacker [1][2].

Successful exploitation allows the attacker to capture Jenkins-stored credentials that they would otherwise not have permission to access. This can include sensitive credentials such as API tokens, SSH keys, or passwords, which can then be used to compromise other systems or services integrated with Jenkins.

The vulnerability is fixed in XebiaLabs XL Release Plugin 22.0.1, which adds proper permission checks. Users are advised to update to the latest version. The plugin's source code is available on GitHub, and the Jenkins Security Advisory provides full details [1][3].