CVE-2022-41246

Name of the Vulnerable Software and Affected Versions Jenkins Worksoft Execution Manager Plugin versions 10.0.3.503 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The form validation method is also vulnerable, as it does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Recommendations For Jenkins Worksoft Execution Manager Plugin versions 10.0.3.503 and earlier, consider disabling the form validation method until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of capturing credentials stored in Jenkins. At the moment, there is no information about a newer version that contains a fix for this vulnerability.