CVE-2022-34810

Vulnerability

Description CVE-2022-34810 is an information disclosure vulnerability in the Jenkins RQM Plugin, versions 2.8 and earlier. The plugin fails to perform a necessary permission check, allowing users with the low-privilege Overall/Read permission to enumerate credentials IDs stored in Jenkins [1]. This missing check occurs in an API endpoint that should require higher permissions, such as Credentials/View, to access credential metadata.

Exploitation

An attacker with only Overall/Read permission can exploit this vulnerability by sending a request to the affected endpoint. No authentication beyond a valid Jenkins session with that permission is required. The attacker can then list all credential IDs, which are unique identifiers for credentials like usernames, passwords, API tokens, etc. [2]. This enumeration does not expose the actual secret values but reveals which credentials exist and their IDs, which can be used in subsequent attacks to target specific credentials.

Impact

While the vulnerability does not directly expose credential secrets, it provides attackers with a roadmap of available credentials. With credential IDs, attackers can attempt to exploit other vulnerabilities (such as those allowing credential usage) or conduct social engineering. The severity is considered medium, as the information leakage can be a stepping stone for more serious attacks. Organizations using the plugin should assess the risk of users with Overall/Read access.

Mitigation

The Jenkins RQM Plugin has been fixed in version 2.9, which adds the missing permission check [1]. Users should upgrade to at least version 2.9 immediately. As a workaround, administrators can revoke Overall/Read permission from users who do not require it, though this may impact normal operations. Additionally, restricting access to the plugin's API via Jenkins' overall security settings can help mitigate the issue.