CVE-2022-36903

Vulnerability

Overview

The Repository Connector Plugin for Jenkins, versions 2.2.0 and earlier, contains a missing permission check vulnerability [1][2][4]. This flaw occurs because the plugin does not properly verify that a user has the necessary permissions before exposing credential IDs through its API endpoints. Specifically, an attacker only needs the low-level Overall/Read permission to access these IDs, which is typically granted to many Jenkins users [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have at least Overall/Read permission on the Jenkins instance. This is a common permission often granted to unprivileged users, making the attack surface relatively broad. The attacker does not require any additional authentication or special privileges beyond this basic read access [1][4]. The vulnerability exists in how the plugin handles credential ID lookups without enforcing a proper permission check [2].

Impact

A successful exploit allows the attacker to enumerate credential IDs stored in Jenkins [1]. While credential IDs themselves are not the actual credentials, they provide an attacker with a mapping that can be useful in chaining with other attacks, such as attempts to retrieve or misuse the underlying credentials. The confidentiality of credential IDs is considered sensitive because they can reveal the existence and names of credentials used in the system [2][4].

Mitigation

Status

The vulnerability has been addressed in the Jenkins Security Advisory 2022-07-27. Users should upgrade to a patched version of the Repository Connector Plugin if available. As of the advisory, no workaround is mentioned; updating the plugin is the recommended mitigation [1]. Additionally, this issue is not reported on the CISA Known Exploited Vulnerabilities (KEV) catalog [3].