CVE-2022-36918

Vulnerability

Details

Jenkins Buckminster Plugin versions 1.1.1 and earlier contain a missing permission check in a method that implements form validation [1][3]. This flaw allows an attacker with only Overall/Read permission to probe for the existence of arbitrary file paths on the Jenkins controller's file system [1][2]. The root cause is that the plugin does not verify that the user has the necessary permissions before executing the file existence check.

Exploitation

An attacker who has been granted the Overall/Read permission (a low-privilege role) can exploit this vulnerability by sending crafted requests to the form validation endpoint [1]. No additional authentication or network position is required beyond having a valid Jenkins account with that permission. The attacker can specify any file path on the controller's file system, and the plugin will respond indicating whether the file exists [3].

Impact

Successful exploitation allows the attacker to determine the existence of files on the Jenkins controller, such as configuration files, credentials files, or other sensitive data [1][3]. While this does not directly expose file contents, it can be used to gather information for further attacks, such as confirming the presence of specific software or misconfigurations.

Mitigation

As of the advisory publication date (2022-07-27), no fix was available for the Buckminster Plugin [1][2]. Users are advised to restrict Overall/Read permission to trusted users only, or to remove the plugin if it is not essential. The plugin remains listed as an unresolved security issue in the Jenkins security advisory [2].