CVE-2022-34794

Name of the Vulnerable Software and Affected Versions Jenkins Recipe Plugin versions 1.2 and earlier

Description The issue is related to missing permission checks in the Jenkins Recipe Plugin, allowing attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. Additionally, the plugin allows users to export the full configuration of jobs as part of a recipe, granting access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission.

Recommendations For Jenkins Recipe Plugin versions 1.2 and earlier, consider disabling the plugin until a patch is available to prevent attackers from sending HTTP requests to attacker-specified URLs. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially for users with Overall/Read or Item/Read permissions. Avoid using the plugin to export job configurations until the issue is resolved to prevent unauthorized access to sensitive data.