CVE-2022-27204

Name of the Vulnerable Software and Affected Versions Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier

Description A cross-site request forgery vulnerability allows attackers to connect to an attacker-specified URL. The issue arises because the plugin does not perform a permission check on form validation methods, allowing attackers with Overall/Read permission to exploit this. Furthermore, these form validation methods do not require POST requests, resulting in the vulnerability.

Recommendations For versions 346.vd87693c5a 86c and earlier, consider disabling the form validation methods until a patch is available to prevent exploitation. Restrict access to the plugin to minimize the risk of exploitation, especially for users with Overall/Read permission. Avoid using the plugin for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.