CVE-2022-45389

Vulnerability

Overview

The Jenkins XP-Dev Plugin versions 1.0 and earlier contain a missing permission check in its build trigger functionality. The plugin fails to verify that the user has the required permissions (e.g., Build permission) before initiating a build for a given repository. This flaw allows an attacker to bypass access controls entirely [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to a Jenkins instance that has the XP-Dev Plugin installed. The request specifies a repository of the attacker's choosing, and the plugin will trigger builds of jobs configured to use that repository without any authentication or authorization checks [2]. No prior access or credentials are required.

Impact

Successful exploitation enables an attacker to trigger arbitrary builds on the Jenkins server. This can lead to resource exhaustion, denial of service, or unintended execution of build steps that may expose sensitive information or cause other harmful side effects. The attacker can also potentially interfere with legitimate build processes [1][2].

Mitigation

As of the advisory date (2022-11-15), no fixed version of the XP-Dev Plugin has been released. The plugin is listed among those with unresolved security issues [2]. Users are advised to disable the plugin if it is not essential, or restrict network access to the Jenkins instance to prevent unauthenticated requests. Administrators should monitor for any future updates from the plugin maintainer.