We use cookies to improve your experience on our site.
AVID-2026-R1008
Description
Vulnerability CVE-2022-27199
Details
A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.
Reason for inclusion in AVID: CVE-2022-27199 describes a missing permission check in Jenkins CloudBees AWS Credentials Plugin, enabling attackers with Overall/Read permission to connect to AWS using attacker-specified tokens. The plugin is a software component commonly used in CI/CD pipelines, including AI/ML workflows, and represents a software supply chain dependency affecting building/deploying AI systems. This is a security vulnerability with potential impact on AI deployments and data access. The AVID evidence is provided by the NVD entry and Jenkins advisory, which is sufficient signal for classification.
References
- NVD entry
- https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2351
- http://www.openwall.com/lists/oss-security/2022/03/15/2
Affected or Relevant Artifacts
- Developer: Jenkins project
- Deployer: Jenkins project
- Artifact Details:
| Type | Name |
|---|---|
| System | Jenkins CloudBees AWS Credentials Plugin |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-03-15
- Version: 0.3.3
- AVID Entry