CVE-2022-41252

The Jenkins CONS3RT Plugin, versions 1.0.0 and earlier, contains a missing permission check vulnerability that allows users with only the Overall/Read permission to enumerate credential IDs stored in Jenkins. The plugin fails to perform proper authorization checks on certain endpoints, exposing credential identifiers without requiring the intended higher-level permissions [1][2].

Exploitation

An attacker who has been granted Overall/Read access to a Jenkins instance (a relatively low-privilege role) can exploit this flaw to iterate through credential IDs. No additional authentication or specific job-level permissions are required beyond this minimal access. The attack is network-based and does not require any user interaction or special conditions [1][2].

Impact

Successful exploitation enables an attacker to discover the identifiers of all stored credentials in Jenkins. While the credential IDs themselves do not reveal the credential values (secrets), knowing the IDs can facilitate further targeted attacks, such as exploiting other vulnerabilities that require a credential ID as input. This information disclosure may also help an attacker plan more severe attacks against the Jenkins system [1].

Mitigation

The CONS3RT Plugin does not have a fix released as of the advisory date (September 21, 2022), and the plugin remains listed as unresolved [1][2]. Users are advised to restrict access to the Overall/Read permission only to trusted users, or to disable or remove the plugin if not essential. The Jenkins Security Team has recommended following the principle of least privilege for all plugin permissions [2].