CVE-2022-43413
Description
Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Job Import Plugin 3.5 and earlier lacks a permission check, allowing attackers with Overall/Read to enumerate credential IDs.
Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins [1][3]. This missing permission check means that any user with Overall/Read, which is a low-privilege permission, can access the endpoint.
Attackers can exploit this by simply accessing the vulnerable HTTP endpoint, which returns a list of credential IDs without requiring any additional permissions [1]. The attack does not require authentication beyond having the Overall/Read permission, and the endpoint does not validate that the user has the necessary Job Import permissions.
The impact is that an attacker can enumerate credential IDs, which can be used to narrow down which credentials to target for further attacks [1]. While credential IDs alone may not be sufficient to access the actual credentials, they provide valuable information to an attacker planning more severe attacks.
This vulnerability has been fixed in Job Import Plugin 3.6 [1][2]. The fix adds a permission check to the affected HTTP endpoint, ensuring that only users with the Job Import permission can list credential IDs [4]. Users are advised to update to version 3.6 or later.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:job-import-pluginMaven | < 3.6 | 3.6 |
Affected products
3<=3.5+ 1 more
- (no CPE)range: <=3.5
- (no CPE)range: unspecified
Patches
11b4119849571[SECURITY-2791]
1 file changed · +6 −0
src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java+6 −0 modified@@ -316,6 +316,9 @@ public static final class JobImportActionDescriptor extends Descriptor<JobImport public String getDisplayName() { return ""; } public ListBoxModel doFillCredentialIdItems() { + if (!Jenkins.get().hasPermission(JOB_IMPORT)) { + return new StandardListBoxModel(); + } return new StandardListBoxModel() .includeEmptyValue() .includeMatchingAs( @@ -334,6 +337,9 @@ public ListBoxModel doFillCredentialIdItems() { } public ListBoxModel doFillJenkinsSitesItems() { + if (!Jenkins.get().hasPermission(JOB_IMPORT)) { + return new StandardListBoxModel(); + } final ListBoxModel listBoxModel = new ListBoxModel(); JobImportGlobalConfig.get().getSites().stream().forEach(s -> listBoxModel.add(s.getName(), s.getName() + "-" + s.getUrl() + "-" + s.getDefaultCredentialsId())); return listBoxModel;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4g29-r7vj-2rpvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43413ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- github.com/jenkinsci/job-import-plugin/commit/1b4119849571d4879977c529f9972d271ad6a630ghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
News mentions
0No linked articles in our index yet.