CVE-2022-28151 - Vulnerability Details - OpenCVE

ReportizFlow

A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jenkins	Job And Node Ownership

Configuration 1 [-]

cpe:2.3:a:jenkins:job_and_node_ownership:*:*:*:*:*:jenkins:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/03/29/1
https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2062%20%281%29

History

No history.

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2022-03-29T12:31:13.000Z

Updated: 2024-08-03T05:48:37.176Z

Reserved: 2022-03-29T00:00:00.000Z

Link: CVE-2022-28151

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-03-29T13:15:09.680

Modified: 2026-06-17T04:38:04.387

Link: CVE-2022-28151

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Jenkins Job and Node ownership Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "0.13.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "unknown", "version": "next of 0.13.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:21:06.998Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2062%20%281%29"}, {"name": "[oss-security] 20220329 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2022-28151", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Job and Node ownership Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "0.13.0"}, {"version_affected": "?>", "version_value": "0.13.0"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862: Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2062%20(1)", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2062%20(1)"}, {"name": "[oss-security] 20220329 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:48:37.176Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2062%20%281%29"}, {"name": "[oss-security] 20220329 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2022-28151", "datePublished": "2022-03-29T12:31:13.000Z", "dateReserved": "2022-03-29T00:00:00.000Z", "dateUpdated": "2024-08-03T05:48:37.176Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"affected": [{"affectedData": [{"product": "Jenkins Job and Node ownership Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "0.13.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "unknown", "version": "next of 0.13.0", "versionType": "custom"}]}], "source": "[email protected]"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:job_and_node_ownership:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "DCE8A978-918F-4E1C-B4C8-CE362BCDCA20", "versionEndIncluding": "0.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job."}, {"lang": "es", "value": "Una falta de comprobaci\u00f3n de permisos en Jenkins Job and Node ownership Plugin versiones 0.13.0 y anteriores, permite a atacantes con permiso Item/Read cambiar los propietarios y los permisos espec\u00edficos de un trabajo"}], "id": "CVE-2022-28151", "lastModified": "2026-06-17T04:38:04.387", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-03-29T13:15:09.680", "references": [{"source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2062%20%281%29"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2062%20%281%29"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Primary"}]}