CVE-2022-41238

Summary

The DotCi Plugin for Jenkins (versions 2.40.00 and earlier) contains a missing permission check vulnerability. This flaw allows an unauthenticated attacker to trigger builds of jobs that correspond to any attacker-specified repository and commit, without requiring any authentication or prior access to the Jenkins instance [1][2].

Exploitation

Exploitation requires no authentication, as the permission check is absent. An attacker can craft a request to the Jenkins endpoint associated with the DotCi Plugin, specifying a target repository and a commit hash. The plugin will then initiate a build for the job that matches the attacker-supplied repository details [1][2]. No special network position is needed; the attacker only needs network access to the Jenkins UI or API [1].

Impact

By successfully triggering arbitrary builds, an attacker can cause unauthorized use of build resources, potentially leading to resource exhaustion, execution of malicious code within build environments, or exposure of internal build artifacts and secrets. The impact is considered high because it requires no authentication and can lead to significant operational disruption or data leakage [1][2].

Mitigation

Jenkins has released a security advisory for this vulnerability in September 2022 [1]. According to the Jenkins project's policy, if the plugin maintainer does not provide a fix, administrators are advised to stop using the plugin or follow any workarounds provided [3]. As of the advisory date, no fix was available for the DotCi Plugin [1], and the plugin has been suspended from the Jenkins update center [3].