CVE-2022-36915
Description
Jenkins Android Signing Plugin 2.2.5 and earlier lacks permission check in form validation, allowing attackers with Item/Read to verify file patterns in workspace.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Android Signing Plugin 2.2.5 and earlier lacks permission check in form validation, allowing attackers with Item/Read to verify file patterns in workspace.
Vulnerability
Details
Jenkins Android Signing Plugin versions 2.2.5 and earlier contain a missing permission check in the form validation method for the 'APKs to sign' field. Specifically, the doCheckApksToSign method does not require the Item/WORKSPACE or Item/CONFIGURE permission, allowing any user with Item/READ permission to trigger the validation [1][3]. This stems from insufficient authorization enforcement during input validation [3].
Exploitation
An attacker with only Item/Read permission on a Jenkins project can exploit this flaw by crafting a request to the form validation endpoint with attacker-specified file patterns. The method then checks whether these patterns match files in the project's workspace without performing additional permission checks [1][2]. No further privileges like Item/Workspace or Item/Configure are required, making it accessible to low-privileged users.
Impact
Successful exploitation allows an attacker to determine whether specific files exist in the workspace, leading to information disclosure. This could reveal details about the build environment, configuration, or source code structure [1][3]. The vulnerability does not allow file modification or code execution, but it compromises the confidentiality of workspace contents.
Mitigation
The fix was implemented in commit 33162c6 [4], which adds a checkPermission(Item.WORKSPACE) call to the validation method. However, as of the advisory date (2022-07-27), no official release containing the fix was announced [1][2]. Users should update to a patched version once available or apply the commit manually.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:android-signingMaven | <= 2.2.5 | — |
Affected products
2- Jenkins project/Jenkins Android Signing Pluginv5Range: unspecified
Patches
133162c65c9f5Fix SECURITY-2404 / CVE-2022-36915
1 file changed · +1 −0
src/main/java/org/jenkinsci/plugins/androidsigning/SignApksBuilder.java+1 −0 modified@@ -438,6 +438,7 @@ public FormValidation doCheckApksToSign(@AncestorInPath AbstractProject project, if (project == null) { return FormValidation.warning(Messages.validation_noProject()); } + project.checkPermission(Item.WORKSPACE); FilePath someWorkspace = project.getSomeWorkspace(); if (someWorkspace == null) { return FormValidation.warning(Messages.validation_noWorkspace());
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-vp68-fm96-7v79ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36915ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/android-signing-plugin/commit/33162c65c9f52ca5fa85609bdb652a5d1feda95bghsaWEB
- www.jenkins.io/security/advisory/2022-07-27/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.