CVE-2022-45390

Vulnerability

A missing permission check in the Jenkins loader.io Plugin versions 1.0.1 and earlier exposes a security flaw that allows attackers with Overall/Read permission to enumerate credential IDs stored in Jenkins [1][2]. The plugin does not properly verify permissions before exposing a list of stored credential identifiers, violating the principle of least privilege.

Exploitation

An attacker who already has the Overall/Read permission can exploit this missing check to retrieve a list of credential IDs. The attack does not require authentication credentials beyond the attacker's existing low-level access, and can be performed over the network without any special positioning [3].

Impact

While the credential IDs themselves are not the actual secrets, knowledge of valid IDs can aid in subsequent attacks such as brute-forcing or social engineering to gain access to the underlying credentials. This information disclosure increases the risk of credential compromise within the Jenkins environment.

Mitigation

As of the advisory publication date (2022-11-15), no fix has been released for the loader.io Plugin [1][2]. Users are advised to restrict Overall/Read permission to trusted users or consider removing/disabling the plugin if it is not essential. The plugin remains vulnerable until a patched version is provided.