CVE-2022-36904
Description
Jenkins Repository Connector Plugin 2.2.0 and earlier lacks a permission check in a form validation method, allowing attackers with Overall/Read to probe for arbitrary file paths on the controller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Repository Connector Plugin 2.2.0 and earlier lacks a permission check in a form validation method, allowing attackers with Overall/Read to probe for arbitrary file paths on the controller.
Vulnerability
Details
Jenkins Repository Connector Plugin versions 2.2.0 and earlier contain a missing permission check in a form validation method [1]. This method does not verify that the user has the required permissions before processing a file path check, violating the principle of least privilege.
Exploitation
An attacker with only Overall/Read permission can send a crafted request to the form validation endpoint, specifying an arbitrary file path on the Jenkins controller file system [3]. No additional authentication or network position is required beyond having a Jenkins account with the minimal Read permission.
Impact
Successful exploitation allows the attacker to determine whether a given file path exists on the controller, enabling reconnaissance of the file system [4]. This information disclosure could be used to identify sensitive files or configuration details, potentially aiding further attacks.
Mitigation
The Jenkins Security Advisory 2022-07-27 recommends upgrading to a fixed version of the Repository Connector Plugin [1]. As of the advisory date, no patch was available; users should monitor for updates or consider removing the plugin if not needed.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:repository-connectorMaven | <= 2.2.0 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-fjpq-f574-jc45ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36904ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-07-27/ghsax_refsource_CONFIRMWEB
- www.jenkins.io/security/advisory/2022-07-27/ghsaWEB
News mentions
0No linked articles in our index yet.