CVE-2022-36914

Name of the Vulnerable Software and Affected Versions Jenkins Files Found Trigger Plugin versions 1.5 and earlier

Description The issue is related to insufficient authorization procedures in the plugin. This allows a remote attacker to gain unauthorized access to protected information. Specifically, the plugin does not perform a permission check in a method implementing form validation, enabling attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. This can be exploited to effectively list the Jenkins controller file system by sending a sequence of requests.

Recommendations For Jenkins Files Found Trigger Plugin versions 1.5 and earlier, as a temporary workaround, consider disabling the form validation method until a patch is available. Restrict access to the plugin to minimize the risk of exploitation. Avoid using the plugin to check for file paths on the Jenkins controller file system until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.