CVE-2022-41242

Vulnerability

Description The Jenkins extreme-feedback Plugin up to version 1.7 contains a missing permission check in its API endpoints. This flaw allows users with the Overall/Read permission to access functions that should require higher privileges, such as viewing job names attached to lamps and retrieving MAC and IP addresses of lamps, as well as renaming lamps [1][2].

Exploitation

To exploit this vulnerability, an attacker must have the Overall/Read permission on a Jenkins instance, which is typically granted to all authenticated users by default. No additional authentication is needed for the affected endpoints. The attacker can then enumerate job-lamp mappings, obtain network details of physical lamps, and rename lamps arbitrarily [1].

Impact

Successful exploitation leads to information disclosure of job names and lamp network configurations (MAC and IP addresses). Additionally, an attacker can rename lamps, potentially causing confusion or disrupting visual feedback mechanisms that rely on lamp naming [2].

Mitigation

The Jenkins security advisory recommends upgrading to a version where the missing permission check is added. As of the advisory date, version 1.8 or later may include the fix, but users should check the plugin's repository [3]. If no update is available, administrators should consider removing the Overall/Read permission from untrusted users or disabling the plugin [1].