CVE-2022-36919

The Jenkins Coverity Plugin version 1.11.4 and earlier contains a missing permission check vulnerability (CVE-2022-36919). The plugin fails to properly validate permissions when accessing a specific API endpoint, allowing users with Overall/Read permission to bypass authorization checks [1][4]. This oversight enables an attacker to enumerate credentials IDs stored in Jenkins.

An attacker needs only Overall/Read permission, which is typically granted to low-privileged users or anonymous access if configured. The attack can be performed via crafted HTTP requests to the vulnerable endpoint without requiring authentication beyond the existing low-level permission [1].

By enumerating credential IDs, an attacker can map the available credentials, potentially leading to further exploitation if combined with other vulnerabilities. While the credential IDs themselves do not expose secret values, they provide critical information for targeting specific credentials in subsequent attacks [4].

As of this advisory, no fix has been released by the plugin maintainer, and the plugin may be considered unmaintained. Users are advised to restrict Overall/Read permission or remove the plugin if not in use [1].