CVE-2022-36914

Vulnerability

Details

The Jenkins Files Found Trigger Plugin, versions 1.5 and earlier, contains a missing permission check in a method that implements form validation. According to the Jenkins Security Advisory [1], this flaw allows any user with the Overall/Read permission to invoke the validation endpoint without further authorization. The root cause is the absence of an access control check, which should have restricted this operation to users with higher privileges such as Overall/Administer.

Exploitation

An attacker who has obtained Overall/Read permission on a Jenkins instance can exploit this vulnerability by sending a crafted request to the form validation endpoint. The attacker specifies an arbitrary file path on the Jenkins controller's file system. The plugin then checks whether that path exists and returns a response indicating the result. No additional authentication or network position is required beyond the initial Jenkins login [3].

Impact

Successful exploitation allows an attacker to enumerate files on the Jenkins controller, effectively performing a file existence oracle. This information disclosure can reveal the presence of sensitive files, such as configuration files, credential stores, or plugin binaries, which may aid in further attacks. The impact is limited to file existence checks; the attacker cannot read file contents directly through this vulnerability [1][3].

Mitigation

As of the advisory publication date, no fixed version of the Files Found Trigger Plugin has been released. The plugin is listed among unresolved security issues in the Jenkins Security Advisory [1]. Administrators are advised to restrict the Overall/Read permission to trusted users only, or to remove or disable the plugin if it is not essential. Monitoring for unexpected form validation requests may also help detect exploitation attempts.