CVE-2022-45385

Name of the Vulnerable Software and Affected Versions Jenkins CloudBees Docker Hub/Registry Notification Plugin versions 2.6.2 and earlier

Description A missing permission check in the Jenkins CloudBees Docker Hub/Registry Notification Plugin allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. The plugin provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt, and these endpoints can be accessed without authentication. This enables unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

Recommendations For Jenkins CloudBees Docker Hub/Registry Notification Plugin versions 2.6.2 and earlier, update to version 2.6.2.1 or later, which requires a token as part of webhook URLs, acting as authentication for the webhook endpoint. As a temporary workaround, consider setting the Java system property org.jenkinsci.plugins.registry.notification.webhook.JSONWebHook.DO NOT REQUIRE API TOKEN to false to enable the requirement for an API token, but be aware that setting it to true would disable this security fix.