CVE-2022-30952

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline SCM API for Blue Ocean Plugin versions 1.25.3 and earlier

Description The issue allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins. This is due to the Blue Ocean Credentials Provider in Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier, which enables pipelines to access specific credentials from the per-user credentials store. As a result, attackers can rewrite job configurations to access and capture any attacker-specified credential from any user’s private credentials store.

Recommendations For Jenkins Pipeline SCM API for Blue Ocean Plugin versions 1.25.3 and earlier, administrators should reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store. To mitigate the issue, consider disabling the Blue Ocean Credentials Provider through the UI at Manage Jenkins » Configure Credential Providers . Note that re-enabling the Blue Ocean Credentials Provider by setting the Java system property io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.enabled to true is discouraged, as it will restore the unsafe behavior. Updating to Pipeline SCM API for Blue Ocean Plugin 1.25.4 or later is recommended, as it deprecates the Blue Ocean Credentials Provider and disables it by default.