CVE-2022-36912

Name of the Vulnerable Software and Affected Versions Jenkins Openstack Heat Plugin versions 1.5 and earlier

Description The issue is related to insufficient authorization procedures in the Jenkins Openstack Heat Plugin, allowing a remote attacker to perform URL redirection. A missing permission check in the plugin enables attackers with Overall/Read permission to connect to a URL specified by the attacker. This is due to the plugin not performing permission checks in methods that implement form validation.

Recommendations For Jenkins Openstack Heat Plugin versions 1.5 and earlier, consider disabling the plugin until a patch is available to prevent attackers from exploiting the missing permission check. Restrict access to the plugin's form validation methods to minimize the risk of exploitation. Avoid using the plugin to connect to external URLs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.