CVE-2022-41250

Vulnerability

Overview

CVE-2022-41250 is a missing permission check in the Jenkins SCM HttpClient Plugin versions 1.5 and earlier. The plugin fails to verify that a user has the necessary permissions to use specified credentials IDs when connecting to an HTTP server. This allows an attacker who already possesses Overall/Read permission (a low-privilege role) to trigger a connection to an attacker-controlled server using credentials IDs obtained through other means [1][2].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have Overall/Read permission on the Jenkins instance and must have obtained valid credentials IDs through another method, such as exploiting other vulnerabilities or reading configuration files. The attacker then configures the SCM HttpClient post-build action to connect to their own server, supplying the stolen credentials IDs. The plugin will then send the corresponding credentials to the attacker's server, effectively capturing them [1][2].

Impact

Successful exploitation allows the attacker to capture credentials stored in Jenkins, which may include passwords, API tokens, or SSH keys. These credentials can then be used to further compromise the Jenkins environment or other systems accessible with those credentials [1][2].

Mitigation

Status

As of the Jenkins Security Advisory 2022-09-21, the SCM HttpClient Plugin is listed among plugins with unresolved security issues, meaning no official patch has been released. Users are advised to remove the plugin if not needed, or restrict access to Jenkins to trusted users only [1][2].