Moderate severityNVD Advisory· Published Jul 27, 2022· Updated Aug 3, 2024
CVE-2022-36897
CVE-2022-36897
Description
A missing permission check in Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.compuware.jenkins:compuware-xpediter-code-coverageMaven | < 1.0.8 | 1.0.8 |
Affected products
1- Range: unspecified
Patches
12bb312d91f8dSECURITY-2626: Added Missing permission checks.
1 file changed · +12 −0
src/main/java/com/compuware/jenkins/build/CodeCoverageBuilder.java+12 −0 modified@@ -252,6 +252,12 @@ public FormValidation doCheckCredentialsId(@QueryParameter String credentialsId) public ListBoxModel doFillConnectionIdItems(@AncestorInPath Jenkins context, @QueryParameter String connectionId, @AncestorInPath Item project) { + if (project == null) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + } else { + project.checkPermission(Item.CONFIGURE); + } + CpwrGlobalConfiguration globalConfig = CpwrGlobalConfiguration.get(); HostConnection[] hostConnections = globalConfig.getHostConnections(); @@ -288,6 +294,12 @@ public ListBoxModel doFillConnectionIdItems(@AncestorInPath Jenkins context, @Qu public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Jenkins context, @QueryParameter String credentialsId, @AncestorInPath Item project) { + if (project == null) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + } else { + project.checkPermission(Item.CONFIGURE); + } + List<StandardCredentials> creds = CredentialsProvider.lookupCredentials( StandardCredentials.class, project, ACL.SYSTEM, Collections.<DomainRequirement> emptyList());
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hxf7-9rv9-88v6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36897ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/compuware-xpediter-code-coverage-plugin/commit/2bb312d91f8dc20e7e1e2098584dbea65a9bffb6ghsaWEB
- www.jenkins.io/security/advisory/2022-07-27/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.