CVE-2022-34781

Name of the Vulnerable Software and Affected Versions Jenkins XebiaLabs XL Release Plugin versions 22.0.0 and earlier

Description The issue is related to missing permission checks in the Jenkins XebiaLabs XL Release Plugin, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method. This can lead to capturing credentials stored in Jenkins.

Recommendations For versions 22.0.0 and earlier, update to version 22.0.1 or later, which requires Overall/Administer permission for the affected form validation methods. As a temporary workaround, consider restricting the Overall/Read permission to minimize the risk of exploitation.