CVE-2022-36904: 
Java vulnerability analysis and mitigation

Repository Connector Plugin version 2.2.0 and earlier contains a security vulnerability identified as CVE-2022-36904. This vulnerability was disclosed on July 27, 2022, as part of a larger Jenkins security advisory. The vulnerability affects the form validation functionality in the Repository Connector Plugin (Jenkins Advisory).

The vulnerability stems from a missing permission check in a method implementing form validation. This security flaw allows attackers with Overall/Read permission to check for the existence of attacker-specified file paths on the Jenkins controller file system. Through a sequence of requests, attackers can effectively enumerate and list the entire Jenkins controller file system. The vulnerability has been assessed with a CVSS severity rating of Medium (Jenkins Advisory).

The primary impact of this vulnerability is that it enables unauthorized file system enumeration. Attackers with Overall/Read permission can leverage this vulnerability to map out the Jenkins controller file system structure, potentially exposing sensitive information about the system's configuration and structure (Jenkins Advisory).

As of the advisory's publication date, there was no fix available for this vulnerability in the Repository Connector Plugin. Users of the affected plugin should monitor for updates and consider implementing additional access controls to restrict Overall/Read permissions to trusted users only (Jenkins Advisory).