CVE-2022-34175: 
Java vulnerability analysis and mitigation

Jenkins uses the Stapler web framework to render its UI views in versions 2.335 through 2.355. A vulnerability identified as CVE-2022-34175 was discovered where the protection mechanism for view fragments was disabled for some views, potentially allowing attackers to directly access view fragments containing sensitive information while bypassing permission checks. This vulnerability affects Jenkins installations between versions 2.335 and 2.355 (both inclusive). The issue was discovered and reported by Wadeck Follonier and Daniel Beck from CloudBees, Inc (Jenkins Advisory).

The vulnerability stems from a disabled protection mechanism that was originally implemented to fix SECURITY-534 in Jenkins 2.186 and LTS 2.176.2. The protection was meant to prevent direct access to view fragments that could contain sensitive information. In the affected versions, this protection was inadvertently disabled for certain views, creating a security gap. The vulnerability has been assigned a Medium severity CVSS rating (Jenkins Advisory).

The vulnerability could allow attackers to bypass permission checks and directly access view fragments containing sensitive information. However, as noted by the Jenkins security team at the time of publication, they were unaware of any vulnerable view fragments across the Jenkins plugin ecosystem that could be exploited (Jenkins Advisory).

The vulnerability was fixed in Jenkins 2.356, which restored the protection for affected views. No Jenkins LTS release was affected by this issue, as it was not present in Jenkins 2.332.x and was fixed in the 2.346.x line before 2.346.1. Users running affected versions should upgrade to Jenkins 2.356 or later to address this vulnerability (Jenkins Advisory).