CVE-2022-45385: Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry Notification Plugin

November 16, 2022 (updated April 30, 2025)

CloudBees Docker Hub/Registry Notification Plugin provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt.

In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier, these endpoints can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1 requires a token as a part of webhook URLs, which will act as authentication for the webhook endpoint. As a result, all webhook URLs in the plugin will be different after updating the plugin.

Administrators can set the Java system property org.jenkinsci.plugins.registry.notification.webhook.JSONWebHook.DO_NOT_REQUIRE_API_TOKEN to true to disable this fix.

References

Code Behaviors & Features

Detect and mitigate CVE-2022-45385 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →