CVE-2022-45399

Vulnerability

Description

The Jenkins Cluster Statistics Plugin versions 0.4.6 and earlier contains a missing permission check [1]. This flaw allows an attacker to delete recorded Jenkins Cluster Statistics without proper authorization [2]. The root cause is the absence of an access control mechanism on the functionality responsible for deleting statistics data.

Attack

Vector and Prerequisites

An attacker can exploit this vulnerability by sending a crafted HTTP request to a Jenkins instance running an affected version of the plugin [3]. No authentication is required if the Jenkins instance is configured to allow unauthenticated access, but in typical setups, the attacker would need at least Overall/Read permission to reach the plugin's endpoints [2]. The attack is network-based, meaning remote exploitation is possible.

Impact

Successful exploitation allows an attacker to delete recorded cluster statistics [1]. This can lead to loss of historical data used for monitoring, capacity planning, and troubleshooting. While it does not directly compromise the Jenkins system or its jobs, it disrupts visibility into cluster performance and resource utilization.

Mitigation

As of the Jenkins Security Advisory 2022-11-15, no fix is available for this plugin [2]. The plugin is likely deprecated or unmaintained. Administrators are advised to remove or disable the Cluster Statistics Plugin if it is not needed [1]. There are no known workarounds.