CVE-2022-36895
Description
Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier lacks permission checks, allowing attackers with Overall/Read to enumerate hosts, ports, and credential IDs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier lacks permission checks, allowing attackers with Overall/Read to enumerate hosts, ports, and credential IDs.
Vulnerability
Description
The Compuware Topaz Utilities Plugin for Jenkins, versions 1.0.8 and earlier, contains a missing permission check vulnerability [1]. The doFillConnectionIdItems and doFillCredentialsIdItems methods, which populate form fields with connection and credential information, perform no authorization check before serving data. This means any user with at least Overall/Read permission can trigger these methods [2][3].
Attack
Vector
An attacker who has been granted Overall/Read permission (the minimum Jenkins access level) can send a crafted HTTP request to the plugin's form field population endpoints. These endpoints are designed to be called by Jenkins forms to provide dropdown lists of available Compuware host connections and credential IDs. Because the permission check is missing, the response will include a list of host names, ports, and credential IDs for all configured Compuware connections in the Jenkins instance [1][4]. No additional authentication or specific job-level access is required.
Impact
Successful exploitation allows an attacker to enumerate the hosts and ports of Compuware configurations and to discover the IDs of credentials stored in Jenkins. While this does not directly expose the credential secrets, it provides an attacker with valuable reconnaissance information that can be used to target specific systems or credentials for further attacks. The information disclosure could help an adversary plan more sophisticated attacks, such as connecting to a known Compuware host or leveraging a known credential ID in other exploits.
Mitigation
The vulnerability has been fixed in Compuware Topaz Utilities Plugin version 1.0.9. The fix adds proper permission checks, requiring either Jenkins.ADMINISTER permission for global use or Item.CONFIGURE permission for a specific project [4]. Users should update to the latest version immediately. There is no workaround; blocking access to the plugin's endpoints could break legitimate form functionality.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.compuware.jenkins:compuware-topaz-utilitiesMaven | < 1.0.9 | 1.0.9 |
Affected products
2- Range: unspecified
Patches
1a79f95c7d32aSECURITY-2619: Added Missing permission checks.
1 file changed · +12 −0
src/main/java/com/compuware/jenkins/build/JclDescriptorImpl.java+12 −0 modified@@ -151,6 +151,12 @@ public FormValidation doCheckMaxConditionCode(@QueryParameter String maxConditio */ public ListBoxModel doFillConnectionIdItems(@AncestorInPath Jenkins context, @QueryParameter String connectionId, @AncestorInPath Item project) { + if (project == null) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + } else { + project.checkPermission(Item.CONFIGURE); + } + CpwrGlobalConfiguration globalConfig = CpwrGlobalConfiguration.get(); HostConnection[] hostConnections = globalConfig.getHostConnections(); @@ -184,6 +190,12 @@ public ListBoxModel doFillConnectionIdItems(@AncestorInPath Jenkins context, @Qu */ public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Jenkins context, @QueryParameter String credentialsId, @AncestorInPath Item project) { + if (project == null) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + } else { + project.checkPermission(Item.CONFIGURE); + } + List<StandardCredentials> creds = CredentialsProvider.lookupCredentials(StandardCredentials.class, project, ACL.SYSTEM, Collections.<DomainRequirement>emptyList());
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-qf4p-7gqc-x6jxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36895ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/compuware-topaz-utilities-plugin/commit/a79f95c7d32ad6a2e161159fa77f371705f3b20dghsaWEB
- www.jenkins.io/security/advisory/2022-07-27/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.