CVE-2022-25198

Name of the Vulnerable Software and Affected Versions Jenkins SCP publisher Plugin versions 1.8 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials. This issue arises because the plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to exploit this vulnerability. Furthermore, the form validation method does not require POST requests, contributing to the CSRF vulnerability.

Recommendations For Jenkins SCP publisher Plugin versions 1.8 and earlier, consider disabling the form validation method until a patch is available to prevent attackers from connecting to an attacker-specified SSH server. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially for users with Overall/Read permission. As a temporary workaround, ensure that all requests to the plugin are validated and verified to prevent CSRF attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.