CVE-2022-34794

The Jenkins Recipe Plugin, versions 1.2 and earlier, fails to perform proper permission checks. This allows users who only have the Overall/Read permission—a relatively low-privilege level—to craft an HTTP request to an attacker-controlled URL. The plugin then processes the response as XML [1][2]. This vulnerability, identified as CVE-2022-34794, is rooted in a missing permission check in the plugin's code [1].

The attack surface requires that the attacker already possesses Overall/Read permission on the Jenkins instance. No further authentication is needed to trigger the vulnerable functionality. The attacker specifies an external URL, and the Jenkins server makes an HTTP request to that URL, subsequently parsing the returned content as XML [1][2].

The impact is that an attacker can potentially exploit this capability for server-side request forgery (SSRF), depending on how the XML parsing is handled. While the advisory does not detail further consequences, the ability to make arbitrary HTTP requests and parse arbitrary XML from a privileged Jenkins server context could lead to information disclosure or other attacks [1].

As of the Jenkins Security Advisory 2022-06-30, no patch has been mentioned for this specific plugin, and users are advised to consider the risk and apply mitigations such as restricting Overall/Read permission or monitoring for unusual outbound requests [1].