CVE-2022-36898

Name of the Vulnerable Software and Affected Versions Jenkins Compuware ISPW Operations Plugin versions 1.0.8 and earlier Jenkins BMC AMI DevX Code Pipeline Operations Plugin versions 1.0.8 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. This could potentially be used as part of an attack to capture the credentials using another vulnerability. The issue is related to insufficient authorization procedures, which can allow a remote attacker to gain unauthorized access to protected information.

Recommendations For Jenkins Compuware ISPW Operations Plugin versions 1.0.8 and earlier, update to a version that includes the necessary permission checks. For Jenkins BMC AMI DevX Code Pipeline Operations Plugin versions 1.0.8 and earlier, update to version 1.0.9 or later, which requires the appropriate permissions to enumerate hosts and ports of Compuware configurations and credentials IDs.