CVE-2022-41246: 
Java vulnerability analysis and mitigation

The Jenkins Worksoft Execution Manager Plugin version 10.0.3.503 and earlier contains a security vulnerability identified as CVE-2022-41246. This vulnerability is characterized by a missing permission check in a method implementing form validation, which was discovered and reported by Kevin Guerroudj from CloudBees, Inc. The vulnerability was publicly disclosed on September 21, 2022, and affects all versions of the plugin up to and including 10.0.3.503 (Jenkins Advisory).

The vulnerability is classified with a Medium severity CVSS score. The core issue stems from the plugin's failure to perform proper permission checks in a method implementing form validation. This security flaw allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs that can be obtained through another method (Jenkins Advisory).

The vulnerability enables attackers with Overall/Read permission to capture credentials stored in Jenkins by connecting to attacker-specified URLs using credential IDs obtained through other methods. This could potentially lead to unauthorized access to sensitive credentials and compromise the security of the Jenkins installation (Jenkins Advisory).

As of the advisory's publication date, no official fix was available for this vulnerability. Organizations using the affected versions of the Worksoft Execution Manager Plugin should assess their risk and consider implementing additional access controls to limit Overall/Read permissions to trusted users only (Jenkins Advisory).