CVE-2022-25201

Name of the Vulnerable Software and Affected Versions Jenkins Checkmarx Plugin versions 2022.1.2 and earlier

Description The issue is related to missing permission checks in the Jenkins Checkmarx Plugin, allowing attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method. This enables the capture of credentials stored in Jenkins. The vulnerability affects the plugin's handling of HTTP endpoints, where permission checks are not properly performed.

Recommendations For Jenkins Checkmarx Plugin versions 2022.1.2 and earlier, consider disabling the plugin until a patch is available to prevent attackers from exploiting the missing permission checks. Restrict access to the plugin's HTTP endpoints to minimize the risk of credential capture. Avoid using the plugin with Overall/Read permission to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.