CVE-2022-25199

Name of the Vulnerable Software and Affected Versions Jenkins SCP publisher Plugin versions 1.8 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials. The issue is due to a method implementing form validation that does not perform a permission check. Additionally, this form validation method is vulnerable to cross-site request forgery (CSRF) as it does not require POST requests.

Recommendations For Jenkins SCP publisher Plugin versions 1.8 and earlier, consider disabling the form validation method until a patch is available to prevent attackers from connecting to an attacker-specified SSH server. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin with Overall/Read permission until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.