CVE-2022-43431
Description
Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier lacks a permission check in an HTTP endpoint, allowing attackers with Overall/Read to enumerate credential IDs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier lacks a permission check in an HTTP endpoint, allowing attackers with Overall/Read to enumerate credential IDs.
Vulnerability
Description
The Jenkins Compuware Strobe Measurement Plugin versions 1.0.1 and earlier contain a missing permission check in an HTTP endpoint. This flaw allows an attacker with only the Overall/Read permission to enumerate the IDs of credentials stored in Jenkins [1][3]. The root cause is the absence of an access control check on the endpoint, which should have required a higher privilege level.
Exploitation
An attacker who already has Overall/Read access (a low-privilege permission often granted to many users) can exploit this by sending a crafted request to the vulnerable endpoint. No additional authentication or network position is required beyond being able to reach the Jenkins instance [2]. The endpoint returns a list of credential IDs, which are internal identifiers for stored credentials.
Impact
While the actual credential secrets (passwords, keys) are not exposed, the ability to enumerate credential IDs can aid an attacker in planning further attacks. For example, knowing the IDs may allow an attacker to target specific credentials in subsequent exploits or to map out the credential store [1][3]. This information disclosure increases the risk of credential compromise in combination with other vulnerabilities.
Mitigation
The vulnerability has been fixed in the Compuware Strobe Measurement Plugin version 1.0.2. Users should upgrade to this version or later as soon as possible [1][4]. No workarounds are documented; the only remediation is to update the plugin.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.compuware.jenkins:compuware-strobe-measurementMaven | < 1.0.2 | 1.0.2 |
Affected products
2- Range: unspecified
Patches
129a0d38d12e3Merge pull request #8 from jenkinsci/VulnerabilityFix-Missing-permission-check-SECURITY-2631
1 file changed · +6 −6
pom.xml+6 −6 modified@@ -34,15 +34,15 @@ <developers> <developer> - <id>VinceCapodanno</id> - <name>Vince Capodanno</name> - <email>vince.capodanno@compuware.com</email> + <id>pramodc0777</id> + <name>Pramod Chaudhari</name> + <email>pramod_chaudhari2@bmc.com</email> </developer> </developers> <scm> - <connection>scm:git:ssh://github.com/jenkinsci/compuware-strobe-measurement-plugin.git</connection> - <developerConnection>scm:git:ssh://git@github.com/jenkinsci/compuware-strobe-measurement-plugin.git</developerConnection> + <connection>scm:git:https://github.com/jenkinsci/compuware-strobe-measurement-plugin.git</connection> + <developerConnection>scm:git:https://github.com/jenkinsci/compuware-strobe-measurement-plugin.git</developerConnection> <url>https://github.com/jenkinsci/compuware-strobe-measurement-plugin</url> <tag>HEAD</tag> </scm> @@ -92,4 +92,4 @@ </dependency> </dependencies> -</project> +</project> \ No newline at end of file
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hcw3-6459-pwhcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43431ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- github.com/jenkinsci/compuware-strobe-measurement-plugin/commit/29a0d38d12e31ff8538473742c05a2e11f15c0dfghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
News mentions
0No linked articles in our index yet.