CVE-2022-28138

Name of the Vulnerable Software and Affected Versions Jenkins RocketChat Notifier Plugin versions 1.4.10 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials. This issue arises because the plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to exploit the vulnerability. Furthermore, the form validation method does not require POST requests, contributing to the CSRF vulnerability.

Recommendations For Jenkins RocketChat Notifier Plugin versions 1.4.10 and earlier, update to version 1.5.0, which requires POST requests and Overall/Administer permission for the affected form validation method, thus mitigating the issue. As a temporary workaround, consider restricting access to the form validation method to users with Overall/Administer permission until the update to version 1.5.0 is applied.