CVE-2022-25200

Name of the Vulnerable Software and Affected Versions Jenkins Checkmarx Plugin versions 2022.1.2 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The issue arises from the lack of permission checks in several HTTP endpoints, which can be exploited by attackers with Overall/Read permission. These endpoints also do not require POST requests, further facilitating the CSRF vulnerability.

Recommendations For Jenkins Checkmarx Plugin versions 2022.1.2 and earlier, consider disabling the affected HTTP endpoints until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of capturing credentials stored in Jenkins. At the moment, there is no information about a newer version that contains a fix for this vulnerability.