CVE-2022-25212

Name of the Vulnerable Software and Affected Versions Jenkins SWAMP Plugin versions 1.2.6 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified web server using attacker-specified credentials. The vulnerability is due to a lack of permission check in a method implementing form validation, which can be exploited by attackers with Overall/Read permission. This method also does not require POST requests, further contributing to the CSRF vulnerability. Attackers can capture credentials stored in Jenkins by obtaining credentials IDs through another method.

Recommendations For Jenkins SWAMP Plugin versions 1.2.6 and earlier, consider disabling the form validation method until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of attackers connecting to attacker-specified web servers using stolen credentials. At the moment, there is no information about a newer version that contains a fix for this vulnerability.