CVE-2022-34212

Name of the Vulnerable Software and Affected Versions Jenkins vRealize Orchestrator Plugin versions 3.0 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL, such as "/api/v1/sendRequest". The url variable can be controlled by the attacker, potentially leading to unauthorized actions.

Recommendations For Jenkins vRealize Orchestrator Plugin versions 3.0 and earlier, consider disabling the plugin until a patch is available to prevent attackers from sending unauthorized HTTP POST requests. Restrict access to the Overall/Read permission to minimize the risk of exploitation. Avoid using the url variable in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.