CVE-2022-36917

Name of the Vulnerable Software and Affected Versions Jenkins Google Cloud Backup Plugin versions 0.6 and earlier

Description A missing permission check in the Jenkins Google Cloud Backup Plugin allows attackers with Overall/Read permission to request a manual backup. This issue is related to insufficient authorization procedures, which can be exploited by a remote attacker to copy arbitrary files. Additionally, the affected HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Recommendations For Jenkins Google Cloud Backup Plugin versions 0.6 and earlier, as a temporary workaround, consider disabling the manual backup feature until a patch is available. Restrict access to the affected HTTP endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.