CVE-2022-36907
Description
A missing permission check in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins OpenShift Deployer Plugin 1.2.0 and earlier has a missing permission check that allows users with Overall/Read permission to connect to attacker-specified URLs using attacker-controlled credentials.
Vulnerability
Details
CVE-2022-36907 is a missing permission check vulnerability in the Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier [1][3]. The plugin fails to properly validate that users have the necessary permissions before allowing them to connect to an arbitrary URL using attacker-specified username and password. This means that any user with the default 'Overall/Read' permission can trigger an outbound connection from the Jenkins controller to a host and port chosen by the attacker, using credentials the attacker supplies [1].
Exploitation and
Impact
The attack requires only that the attacker has Overall/Read access to a Jenkins instance [3]. An authenticated attacker can craft a malicious request that causes the plugin to connect to an attacker-controlled server using attacker-provided credentials. This can be leveraged to perform Server-Side Request Forgery (SSRF) attacks, potentially accessing internal network resources that the Jenkins controller can reach, or to attempt credential guessing against other services if the attacker can observe the connection attempt [1][2]. The vulnerability does not require any special privileges beyond the minimal read-level access that many Jenkins users have.
Mitigation
The Jenkins Security Advisory 2022-07-27 does not list a fixed version for OpenShift Deployer Plugin, indicating that the plugin may be end-of-life or no longer maintained [2]. Users should consider removing or disabling the plugin if it is not essential, or restrict Overall/Read permissions to trusted users only. No patch has been released for this issue.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:openshift-deployerMaven | <= 1.2.0 | — |
Affected products
3- Range: <=1.2.0
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-jvjh-9r4q-8q5qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36907ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-07-27/mitrex_refsource_CONFIRM
- www.jenkins.io/security/advisory/2022-07-27/ghsaWEB
News mentions
0No linked articles in our index yet.