CVE-2022-41250

Description

A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Related CPE's

ajenkinsscm_httpclient*****jenkins**

References

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2708

Vendor Advisory

[oss-security] 20220921 Multiple vulnerabilities in Jenkins and Jenkins plugins

Mailing ListThird Party Advisory

CvssV3 impact

Could not find any metrics

CvssV2 impact

Could not find any metrics
Created by Yello
About Severity.io