CVE-2022-36909

A missing permission check in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system and to upload an SSH key file from the Jenkins controller file system to an attacker-specified URL [1][2][3]. This vulnerability occurs because the plugin does not properly validate that the user has the necessary permissions for these actions.

The attack requires only Overall/Read permission, which is commonly granted to many Jenkins users. An attacker can probe arbitrary file paths on the controller to confirm their existence, then upload an SSH key file (e.g., /var/lib/jenkins/.ssh/id_rsa) to an external server, bypassing any intended access controls [1][3][4]. The plugin's use of SSH keys for OpenShift authentication makes this a high-risk vector for credential theft.

Successful exploitation allows an attacker to exfiltrate SSH keys, which could be used to authenticate to and compromise OpenShift deployments managed by Jenkins [4]. As the plugin only supports OpenShift v2 (which is end-of-life), no fix is expected, and the vulnerability remains unresolved [1][2]. Users should remove the plugin or restrict access to Jenkins jobs requiring Overall/Read.