CVE-2022-34811

Name of the Vulnerable Software and Affected Versions Jenkins XPath Configuration Viewer Plugin versions 1.1.1 and earlier

Description A missing permission check in the Jenkins XPath Configuration Viewer Plugin allows attackers with Overall/Read permission to access the XPath Configuration Viewer page. This page grants access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission.

Recommendations For Jenkins XPath Configuration Viewer Plugin versions 1.1.1 and earlier, consider disabling access to the XPath Configuration Viewer page until a patch is available. Restrict access to the HTTP endpoint related to the XPath Configuration Viewer page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.