CVE-2022-36917
Description
Jenkins Google Cloud Backup Plugin 0.6 and earlier lacks a permission check, allowing attackers with Overall/Read to trigger manual backups.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Google Cloud Backup Plugin 0.6 and earlier lacks a permission check, allowing attackers with Overall/Read to trigger manual backups.
Vulnerability
The Jenkins Google Cloud Backup Plugin versions 0.6 and earlier contain a missing permission check in its backup functionality. This flaw allows any authenticated user with the Overall/Read permission to request a manual backup without proper authorization [1][2].
Exploitation
An attacker needs only the Overall/Read permission, which is a low-privilege access level often granted to many users in Jenkins environments. By leveraging this permission, the attacker can invoke the backup operation through the plugin's interface or API, bypassing the intended access controls [1].
Impact
Successful exploitation enables an attacker to initiate a manual backup of Google Cloud resources. This could lead to unauthorized data exposure if backups are stored in accessible locations, or cause resource exhaustion due to repeated backup requests [1].
Mitigation
As of the advisory date (2022-07-27), no fix was available for this vulnerability. The plugin remains affected, and users are advised to restrict Overall/Read permissions or disable the plugin until a patched version is released [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:google-cloud-backupMaven | <= 0.6 | — |
Affected products
2- Jenkins project/Jenkins Google Cloud Backup Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-9xhm-6w5p-335vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36917ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-07-27/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.