CVE-2022-36921
Description
Missing permission check in Jenkins Coverity Plugin ≤1.11.4 allows attackers with Overall/Read to connect to attacker-specified URLs using stolen credential IDs, leaking stored credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Coverity Plugin ≤1.11.4 allows attackers with Overall/Read to connect to attacker-specified URLs using stolen credential IDs, leaking stored credentials.
Vulnerability
A missing permission check in Jenkins Coverity Plugin versions 1.11.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method. The plugin does not verify that the user has the necessary permissions to perform this action, enabling unauthorized credential usage. [1][2]
Exploitation
An attacker must have at least Overall/Read permission on the Jenkins instance. By providing a known credential ID (obtained via information disclosure, for example) and a malicious URL, the plugin will connect to that URL using the stored credential. This effectively captures the credential as it is transmitted to the attacker's server. [2][4]
Impact
Successful exploitation allows an attacker to capture Jenkins-stored credentials, which can then be reused to compromise other systems or services. This can lead to lateral movement and further security breaches. [2][4]
Mitigation
The Coverity Plugin is deprecated and no longer maintained. No patch is available. Users should migrate to the Synopsys Coverity Jenkins Plugin as recommended by the vendor. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:coverityMaven | <= 1.11.4 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check allows attackers with Overall/Read permission to trigger outbound connections using attacker-controlled credentials IDs."
Attack vector
An attacker with only Overall/Read permission (a low-privilege role) can exploit the missing authorization check [CWE-862] in the Coverity Plugin. The attacker crafts a request that causes the plugin to connect to an attacker-specified URL using credentials IDs obtained through another method (e.g., another vulnerability). When Jenkins connects to that URL, the credentials stored in Jenkins are captured by the attacker-controlled server [ref_id=1].
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the Jenkins Coverity Plugin versions 1.11.4 and earlier, where a missing permission check allows attackers with Overall/Read permission to trigger an HTTP connection to an attacker-specified URL using attacker-specified credentials IDs.
What the fix does
No patch is provided in the bundle. The advisory indicates the plugin is deprecated and no longer maintained (support ended 06/30/2019) [ref_id=1]. The recommended remediation is to migrate to the new Synopsys Coverity Jenkins Plugin, as the functionality has been moved to that maintained plugin [ref_id=1].
Preconditions
- authAttacker must have Overall/Read permission on the Jenkins instance
- inputAttacker must obtain valid credentials IDs through another method (e.g., another vulnerability)
- networkAttacker must control a server reachable from the Jenkins instance to receive captured credentials
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-99mq-hw5m-gwjjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36921ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-07-27/mitrex_refsource_CONFIRM
- www.jenkins.io/security/advisory/2022-07-27/ghsaWEB
News mentions
0No linked articles in our index yet.