CVE-2022-34796

Vulnerability

Description

The Jenkins Deployment Dashboard Plugin up to version 1.0.10 fails to perform a permission check in a method implementing form validation. This missing check allows users with only Overall/Read permission to access a function that should require higher privileges. [1]

Exploitation

An attacker with Overall/Read permission (typically granted to many users) can exploit this flaw by sending a crafted request to the affected form validation endpoint. No further authentication is needed beyond the existing Jenkins credentials. [2]

Impact

Successful exploitation enables the attacker to enumerate the IDs of credentials stored in Jenkins. While the actual credential values are not exposed, credential IDs can provide valuable information about the credential types and names, aiding in further attacks. [3]

Mitigation

The issue is fixed in Deployment Dashboard Plugin version 1.0.11. Users should upgrade to this version or later as soon as possible. No workaround is available. [1]