CVE-2022-36896

Name of the Vulnerable Software and Affected Versions Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin versions 2.0.12 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. This could potentially be used as part of an attack to capture the credentials using another vulnerability. The issue is related to insufficient authorization procedures, which can allow a remote attacker to gain unauthorized access to protected information.

Recommendations For versions 2.0.12 and earlier, update to version 2.0.13 or later, which requires the appropriate permissions to enumerate hosts and ports of Compuware configurations and credentials IDs. As a temporary workaround, consider restricting access to the plugin's HTTP endpoints to minimize the risk of exploitation.