CVE-2022-34813

Vulnerability

Overview

The Jenkins XPath Configuration Viewer Plugin, versions 1.1.1 and earlier, contains a missing permission check vulnerability. The plugin fails to verify that a user has the necessary permissions (such as Overall/Administer) before allowing operations to create or delete XPath expressions. This flaw is identified in the Jenkins Security Advisory 2022-06-30 under SECURITY-2658 [1].

Exploitation

An attacker with only Overall/Read permission can exploit this vulnerability by sending crafted requests to the plugin's endpoints. No additional authentication or elevated privileges are required beyond the basic read access that many Jenkins users possess. The attack surface is accessible to any authenticated user with Overall/Read, which is a common default permission for many Jenkins roles [1].

Impact

Successful exploitation allows the attacker to create and delete XPath expressions used by the plugin. While the advisory does not detail further consequences, unauthorized modification of XPath expressions could potentially alter the behavior of the plugin, such as changing which parts of job configurations are displayed or causing errors. The impact is limited to the plugin's functionality and does not extend to arbitrary code execution or data exfiltration based on available information [1].

Mitigation

Jenkins has released updated versions of the plugin that include proper permission checks. Users should upgrade to the latest version of the XPath Configuration Viewer Plugin as recommended in the advisory. No workarounds are mentioned, but administrators can also review and restrict Overall/Read permissions to trusted users only [1].