CVE-2022-45383 - Vulnerability Details - OpenCVE

An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0069.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Jenkins	Support Core

Configuration 1 [-]

cpe:2.3:a:jenkins:support_core:*:*:*:*:*:jenkins:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-7445	An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.
Github GHSA	GHSA-w2j3-pq63-339w	Incorrect permission checks in Jenkins Support Core Plugin

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/11/15/4
https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2804

History

Wed, 30 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2022-11-15T00:00:00.000Z

Updated: 2025-04-30T14:06:29.683Z

Reserved: 2022-11-14T00:00:00.000Z

Link: CVE-2022-45383

Vulnrichment

Updated: 2024-08-03T14:09:56.984Z

NVD

Status : Modified

Published: 2022-11-15T20:15:11.730

Modified: 2025-04-30T14:15:27.883

Link: CVE-2022-45383

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-45383", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "dateUpdated": "2025-04-30T14:06:29.683Z", "dateReserved": "2022-11-14T00:00:00.000Z", "datePublished": "2022-11-15T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"product": "Jenkins Support Core Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "1206.v14049fa_b_d860", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "unaffected", "version": "1201.1203.v828b_ef272669"}]}], "descriptions": [{"lang": "en", "value": "An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:26:12.893Z"}, "references": [{"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2804"}, {"name": "[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:09:56.984Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2804", "tags": ["x_transferred"]}, {"name": "[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-863", "lang": "en", "description": "CWE-863 Incorrect Authorization"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-30T14:05:33.062439Z", "id": "CVE-2022-45383", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T14:06:29.683Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2804", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2022/11/15/4", "name": "[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:09:56.984Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-45383", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-30T14:05:33.062439Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T14:06:03.255Z"}}], "cna": {"affected": [{"vendor": "Jenkins project", "product": "Jenkins Support Core Plugin", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "1206.v14049fa_b_d860"}, {"status": "unaffected", "version": "1201.1203.v828b_ef272669"}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2804"}, {"url": "http://www.openwall.com/lists/oss-security/2022/11/15/4", "name": "[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:26:12.893Z"}}}, "cveMetadata": {"cveId": "CVE-2022-45383", "state": "PUBLISHED", "dateUpdated": "2025-04-30T14:06:29.683Z", "dateReserved": "2022-11-14T00:00:00.000Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2022-11-15T00:00:00.000Z", "assignerShortName": "jenkins"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:support_core:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "D8B3C7FF-4965-43E7-AD3D-6C17DF763BB2", "versionEndExcluding": "1206.1208.v9b_7a_1d48db_0f", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission."}, {"lang": "es", "value": "Una verificaci\u00f3n de permisos incorrecta en Jenkins Support Core Plugin 1206.v14049fa_b_d860 y versiones anteriores permite a atacantes con permiso Support/DownloadBundle descargar un paquete de soporte creado previamente que contiene informaci\u00f3n limitada a usuarios con permiso General/Administrador."}], "id": "CVE-2022-45383", "lastModified": "2025-04-30T14:15:27.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-11-15T20:15:11.730", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2804"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2804"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}