CVE-2022-36898: 
Java vulnerability analysis and mitigation

CVE-2022-36898 is a security vulnerability discovered in the BMC AMI DevX Code Pipeline Operations Plugin (formerly known as Compuware ISPW Operations Plugin) version 1.0.8 and earlier. The vulnerability was disclosed on July 27, 2022, and affects the Jenkins automation server plugin. This vulnerability is characterized by missing permission checks in several HTTP endpoints (Jenkins Advisory).

The vulnerability stems from a lack of proper permission checks in multiple HTTP endpoints within the plugin. The issue has been assigned a Medium severity CVSS rating. The vulnerability specifically affects BMC AMI DevX Code Pipeline Operations Plugin versions up to and including 1.0.8, allowing unauthorized access to sensitive configuration information (Jenkins Advisory).

The vulnerability allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs stored in Jenkins. These credentials IDs can potentially be used as part of a broader attack to capture the credentials using another vulnerability (Jenkins Advisory).

The vulnerability has been fixed in BMC AMI DevX Code Pipeline Operations Plugin version 1.0.9. The updated version implements appropriate permission checks for enumerating hosts and ports of Compuware configurations and credentials IDs. Users are advised to upgrade to this version to mitigate the vulnerability (Jenkins Advisory).