CVE-2022-36893
Description
Jenkins rpmsign-plugin Plugin 0.5.0 and earlier lacks a permission check in form validation, allowing attackers with Item/Read to check file patterns in workspace.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins rpmsign-plugin Plugin 0.5.0 and earlier lacks a permission check in form validation, allowing attackers with Item/Read to check file patterns in workspace.
Vulnerability
The Jenkins rpmsign-plugin Plugin up to version 0.5.0 does not perform a permission check in the doCheckIncludes method used for form validation. This method should require Item/Workspace permission but instead relies only on Item/Read permission, violating the principle of least privilege [1][2].
Exploitation
An attacker with Item/Read permission, but without Item/Workspace or Item/Configure, can exploit this flaw by sending a request to the form validation endpoint. The attacker can specify arbitrary file patterns, and the plugin will check if those patterns match any files in the workspace [3]. No further authentication or privileges are needed.
Impact
The attacker can determine whether files matching the specified patterns exist in the project workspace. This can lead to information disclosure about the project structure and potentially sensitive files [1][2][3]. For example, the attacker could check for configuration files or source code patterns, gaining insights into the project without proper authorization.
Mitigation
The vulnerability has been fixed in version 0.5.1 of the rpmsign-plugin Plugin. The fix adds a permission check for Item.WORKSPACE in the doCheckIncludes method [4]. Users are advised to upgrade immediately to prevent exploitation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:rpmsign-pluginMaven | < 0.5.1 | 0.5.1 |
Affected products
2- Jenkins project/Jenkins rpmsign-plugin Pluginv5Range: unspecified
Patches
11b136cddf908SECURITY-2403 (#22)
1 file changed · +2 −0
src/main/java/jenkins/plugins/rpmsign/RpmSignPlugin.java+2 −0 modified@@ -7,6 +7,7 @@ import hudson.model.AbstractBuild; import hudson.model.AbstractProject; import hudson.model.BuildListener; +import hudson.model.Item; import hudson.model.Result; import hudson.tasks.BuildStepDescriptor; import hudson.tasks.BuildStepMonitor; @@ -273,6 +274,7 @@ public FormValidation doCheckPassphrase(@AncestorInPath AbstractProject project, } public FormValidation doCheckIncludes(@AncestorInPath AbstractProject project, @QueryParameter String value) throws IOException, InterruptedException { + project.checkPermission(Item.WORKSPACE); FilePath workspace = project.getSomeWorkspace(); if (workspace != null) { String msg = workspace.validateAntFileMask(value);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pw4g-jcp5-63m9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36893ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/rpmsign-plugin/commit/1b136cddf908138864cfe1c9c861114f5d263871ghsaWEB
- www.jenkins.io/security/advisory/2022-07-27/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.