VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 30, 2022· Updated Aug 3, 2024

CVE-2022-34818

CVE-2022-34818

Description

Jenkins Failed Job Deactivator Plugin ≤1.2.1 lacks permission checks, letting attackers with Overall/Read disable jobs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Failed Job Deactivator Plugin ≤1.2.1 lacks permission checks, letting attackers with Overall/Read disable jobs.

Vulnerability

The Jenkins Failed Job Deactivator Plugin, versions 1.2.1 and earlier, fails to perform permission checks in several views and HTTP endpoints ([1], [2]). This missing access control allows any authenticated user with the Overall/Read permission to trigger job deactivation actions that should require higher privileges.

Exploitation

The attack vector is straightforward: an attacker who has obtained the Overall/Read permission (a relatively low-privilege level in Jenkins) can exploit these unprotected endpoints to disable jobs without needing job-specific permissions. The plugin’s own description notes its purpose is to detect and deactivate or delete orphaned jobs, but the vulnerability means these powerful operations are not gated properly ([3]).

Impact

Successful exploitation results in denial of service or disruption of automated build pipelines, as jobs can be disabled arbitrarily. This can lead to missed builds, delayed deployments, and increased manual intervention to restore job functionality.

Mitigation

The plugin is open source and maintained on GitHub ([3]). The Jenkins Security Advisory 2022-06-30 recommends upgrading to a fixed version where all views and endpoints enforce proper permission checks ([1]).

References
  1. Jenkins Security Advisory 2022-06-30
  2. NVD - CVE-2022-34818
  3. GitHub - jenkinsci/failedjobdeactivator-plugin: Jenkins plugin for administrators, that detects orphaned jobs with the ability to deactivate or delete these jobs.

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
de.einsundeins.jenkins.plugins.failedjobdeactivator:failedJobDeactivatorMaven
<= 1.2.1

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.