CVE-2022-25193

Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
References
Link Resource
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2536 Issue Tracking Patch Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:snow_commander:*:*:*:*:*:jenkins:*:*

History

13 Jul 2022, 16:15

Type Values Removed Values Added
Summary Missing permission checks in Jenkins Snow Commander Plugin 2.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

23 Feb 2022, 19:08

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 4.0
v3 : 6.5
CPE cpe:2.3:a:jenkins:snow_commander:*:*:*:*:*:jenkins:*:*
First Time Jenkins snow Commander
Jenkins
CWE CWE-862
References (CONFIRM) https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2536 - (CONFIRM) https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2536 - Issue Tracking, Patch, Vendor Advisory

15 Feb 2022, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-02-15 17:15

Updated : 2023-12-10 14:22


NVD link : CVE-2022-25193

Mitre link : CVE-2022-25193

CVE.ORG link : CVE-2022-25193


JSON object : View

Products Affected

jenkins

  • snow_commander
CWE
CWE-862

Missing Authorization