CVE-2022-41254

Vulnerability

Description

The Jenkins CONS3RT Plugin, version 1.0.0 and earlier, contains missing permission checks that allow attackers who have the Overall/Read permission to connect to an attacker-specified HTTP server [1][3]. The attacker can specify credentials IDs obtained through another method, effectively capturing those credentials stored in Jenkins during the connection attempt [1][2].

Attack

Surface and Prerequisites

To exploit this vulnerability, an attacker must first have Overall/Read permission in a Jenkins environment — a relatively low-privilege access level. They also need to obtain valid credential IDs from Jenkins through separate means (e.g., by exploiting another vulnerability or through configuration exposure). Once these prerequisites are met, the attacker can craft malicious requests that cause the plugin to connect to their controlled HTTP server using those credentials, leading to their exfiltration [1][2].

Impact

Successful exploitation results in the disclosure of Jenkins credentials, which could be used to gain more privileged access to Jenkins or to other systems that those credentials are intended for. This undermines the security of the Jenkins instance and any external services integrated via credentials [1][3].

Mitigation

At the time of publication (2022-09-21), there was no fixed version available for the CONS3RT Plugin; it remained unresolved [1][2]. Users are advised to restrict the Overall/Read permission to trusted users, monitor for suspicious connections, and consider removing or disabling the plugin if it is not essential. The vulnerability was noted in the Jenkins security advisory but no patch had been released [1][2].