CVE-2022-36912

The Jenkins Openstack Heat Plugin versions 1.5 and earlier contain a missing permission check vulnerability [1]. This flaw allows an attacker with only Overall/Read permission to trigger HTTP requests to an attacker-specified URL [1]. This occurs because the plugin does not properly validate whether the user has the necessary permissions to initiate such connections [1].

Exploitation requires the attacker to have at least Overall/Read permission on the Jenkins instance, which is a relatively low-privilege level [2]. The attacker can then craft a request that causes the plugin to connect to an arbitrary external URL, potentially leading to server-side request forgery (SSRF) or other network attacks [3]. The attack does not require high network privileges as it originates from the Jenkins server itself [2].

The impact is that an attacker can force the Jenkins server to interact with external systems, which could be used for reconnaissance, data exfiltration, or to attack internal services that are reachable from the Jenkins server [3]. This vulnerability is categorized as medium severity with a CVSS score reflecting the requirement for some level of access [1].

Jenkins has released an update to address this vulnerability, and users are advised to upgrade to the latest version of the Openstack Heat Plugin [1]. The plugin's repository contains the fix in subsequent commits [4].