CVE-2022-36921: 
Java vulnerability analysis and mitigation

CVE-2022-36921 is a permission check vulnerability in Jenkins Coverity Plugin 1.11.4 and earlier, discovered and disclosed on July 27, 2022. The vulnerability affects the plugin's HTTP endpoint functionality and allows attackers with Overall/Read permission to connect to attacker-specified URLs using credentials stored in Jenkins (Jenkins Advisory, NVD).

The vulnerability stems from a missing permission check in an HTTP endpoint within the Coverity Plugin. When exploited, it allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs that were obtained through another method. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability enables attackers to capture credentials stored in Jenkins by connecting to attacker-controlled URLs using stolen credential IDs. This could lead to unauthorized access to sensitive systems and data that are accessible using the compromised credentials (Jenkins Advisory).

As of the advisory's publication date, there was no fix available for this vulnerability in the Coverity Plugin. Users are advised to monitor for updates and implement additional access controls to restrict Overall/Read permissions to trusted users (Jenkins Advisory).