CVE-2022-41234

Vulnerability

Overview

The Jenkins Rundeck Plugin versions 3.6.11 and earlier fail to enforce access control on the /plugin/rundeck/webhook/ endpoint. This endpoint is intended to receive webhook notifications from Rundeck to trigger Jenkins jobs, but the plugin does not verify that the requesting user has the necessary permissions to trigger those jobs. The root cause is a missing permission check on the webhook handler [1][3].

Exploitation

An attacker with only Overall/Read permission in Jenkins can send crafted HTTP requests to the unprotected webhook endpoint. No additional authentication or authorization is required beyond having a Jenkins account with that minimal permission. The attack is feasible for any job that has been configured to be triggerable via Rundeck, as the endpoint will process the request and initiate the job execution [1].

Impact

Successful exploitation allows an attacker to trigger arbitrary jobs that are set up for Rundeck-based triggering. This could lead to unauthorized actions such as deploying software, running scripts, or other operations defined in the triggered jobs, depending on the job configuration. The impact is limited to jobs explicitly configured for Rundeck triggering, but within that scope, the attacker can cause unintended executions [1][3].

Mitigation

The Jenkins security advisory recommends upgrading to Rundeck Plugin version 3.6.12 or later, which adds proper access control to the webhook endpoint. Users should also review which jobs are configured for Rundeck triggering and ensure that only trusted users have Overall/Read access [1].