CVE-2022-36921

Name of the Vulnerable Software and Affected Versions Jenkins Coverity Plugin versions 1.11.4 and earlier

Description The issue is related to a missing permission check in the Jenkins Coverity Plugin, which can be exploited by attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs. This allows the capture of credentials stored in Jenkins. The vulnerability is associated with weaknesses in the authorization procedure.

Recommendations For Jenkins Coverity Plugin versions 1.11.4 and earlier, consider disabling the plugin until a patch is available to prevent attackers from exploiting the missing permission check and capturing credentials. Restrict access to the HTTP endpoint to minimize the risk of exploitation. Avoid using attacker-specified credentials IDs in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.