CVE-2022-34798
Description
Jenkins Deployment Dashboard Plugin 1.0.10 and earlier lacks permission checks in HTTP endpoints, enabling attackers with Overall/Read to make requests to arbitrary URLs with any credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Deployment Dashboard Plugin 1.0.10 and earlier lacks permission checks in HTTP endpoints, enabling attackers with Overall/Read to make requests to arbitrary URLs with any credentials.
Vulnerability
Description
The Jenkins Deployment Dashboard Plugin version 1.0.10 and earlier fails to perform a permission check in several HTTP endpoints [1][2]. This missing access control allows any authenticated user with the Overall/Read permission to trigger requests to attacker-specified HTTP URLs using attacker-supplied credentials [1].
Exploitation
An attacker who has at least Overall/Read permission in Jenkins can exploit this by crafting a request to any of the vulnerable endpoints, specifying a target URL and credentials of their choice [1][2]. The plugin will then make an HTTP request to that URL with those credentials, effectively acting as a proxy for the attacker.
Impact
This vulnerability can be used to perform server-side request forgery (SSRF) attacks, including scanning internal networks or accessing resources that require authentication [1][2]. Additionally, the attacker can supply arbitrary credentials, potentially enabling credential theft or reuse attacks against other services.
Mitigation
The issue is addressed in Deployment Dashboard Plugin version 1.0.11 and later [1]. Users should update to the latest version immediately. There is no known workaround for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:ec2-deployment-dashboardMaven | <= 1.0.10 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-q4mr-j6w9-r2mrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34798ghsaADVISORY
- www.jenkins.io/security/advisory/2022-06-30/mitrex_refsource_CONFIRM
- www.jenkins.io/security/advisory/2022-06-30/ghsaWEB
News mentions
0No linked articles in our index yet.