PT-2022-14821 · Jenkins · Jenkins

Published

2022-01-12

·

Updated

2024-03-06

·

CVE-2022-20612

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Jenkins versions 2.329 and earlier Jenkins LTS versions 2.319.1 and earlier
Description A cross-site request forgery (CSRF) vulnerability allows attackers to trigger a build of a job without parameters when no security realm is set. This issue arises because the HTTP endpoint handling manual build requests does not require POST requests when no security realm is set, enabling attackers to exploit this weakness.
Recommendations For Jenkins versions 2.329 and earlier, update to version 2.330 or later to resolve the issue. For Jenkins LTS versions 2.319.1 and earlier, update to version 2.319.2 or later to resolve the issue. As a temporary workaround, consider setting a security realm to require POST requests for the affected HTTP endpoint, thereby minimizing the risk of exploitation.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

BIT-JENKINS-2022-20612
CVE-2022-20612
GHSA-P92Q-7FHH-MQ35
RHSA-2022:0339
RHSA-2022:0483
RHSA-2022:0491
RHSA-2022:0555
RHSA-2022:0565

Affected Products

Jenkins