CVE-2022-45383

Name of the Vulnerable Software and Affected Versions Jenkins Support Core Plugin versions 1206.v14049fa b d860 and earlier

Description An issue exists due to an incorrect permission check, allowing attackers with Support/DownloadBundle permission to download previously created support bundles containing information limited to users with Overall/Administer permission. This affects several HTTP endpoints. The issue enables access to sensitive diagnostic information without proper authorization.

Recommendations For Jenkins Support Core Plugin versions 1206.v14049fa b d860 and earlier, consider updating to a version where the Support/DownloadBundle permission is deprecated, such as version 1206.1208.v9b 7a 1d48db 0f or later, which requires the Overall/Administer permission to download support bundles. As a temporary workaround, consider restricting the Support/DownloadBundle permission to minimize the risk of exploitation.