CVE-2022-28150

Name of the Vulnerable Software and Affected Versions Jenkins Job and Node ownership Plugin versions 0.13.0 and earlier

Description A cross-site request forgery (CSRF) vulnerability exists due to the lack of permission checks in several HTTP endpoints, allowing attackers with Item/Read permission to change job owners and item-specific permissions. The vulnerability is further exacerbated by the endpoint not requiring POST requests.

Recommendations For Jenkins Job and Node ownership Plugin versions 0.13.0 and earlier, consider disabling access to the vulnerable HTTP endpoints until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin's features that allow changing job owners and item-specific permissions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.