CVE-2022-20613

Name of the Vulnerable Software and Affected Versions Jenkins Mailer Plugin versions 391.ve4a 38c1b cf4b and earlier Jenkins Mailer Plugin prior to 408.vd726a 1130320 and 1.34.2

Description A cross-site request forgery (CSRF) vulnerability in the Jenkins Mailer Plugin allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname. This issue arises because the plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to exploit the vulnerability. Furthermore, the form validation method does not require POST requests, contributing to the CSRF vulnerability.

Recommendations For Jenkins Mailer Plugin versions 391.ve4a 38c1b cf4b and earlier, update to version 408.vd726a 1130320 or 1.34.2 to resolve the issue. For Jenkins Mailer Plugin prior to 408.vd726a 1130320 and 1.34.2, update to version 408.vd726a 1130320 or 1.34.2 to resolve the issue. As a temporary workaround, consider restricting access to the form validation method to require Overall/Administer permission and POST requests until a patch is available.