CVE-2022-41246

The Jenkins Worksoft Execution Manager Plugin versions 10.0.3.503 and earlier contain a missing permission check in a function that allows the plugin to connect to external URLs. This flaw stems from the absence of an authorization check before executing a connection request, enabling attackers to abuse the plugin's functionality without proper validation [1][3].

To exploit this vulnerability, an attacker must have at least Overall/Read permission on the Jenkins instance, which is a low-privilege role. Additionally, the attacker needs to obtain valid credential IDs from Jenkins through another method, such as exploiting a separate vulnerability or enumerating stored credentials. Once these prerequisites are met, the attacker can craft a request that causes the plugin to connect to an attacker-specified URL using the stolen credential IDs, effectively exfiltrating the credentials to an external server [1][3].

The impact of successful exploitation is the capture of credentials stored in Jenkins, which may include passwords, API tokens, or other sensitive authentication material. This could lead to further compromise of the Jenkins environment or connected systems. The vulnerability is rated with a CVSS score that reflects the potential for credential theft [3].

As a mitigation, users should upgrade to Worksoft Execution Manager Plugin version 10.0.3.504 or later, which includes the necessary permission check. The Jenkins security advisory provides details on the fix and affected versions [1]. No workaround is mentioned, so updating is the recommended course of action.