CVE-2022-27205

Name of the Vulnerable Software and Affected Versions Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL. The form validation methods do not perform a permission check and do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Recommendations For Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier, consider disabling the form validation methods until a patch is available to prevent attackers from connecting to an attacker-specified URL. Restrict access to the plugin's functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.