CVE-2022-34780

Name of the Vulnerable Software and Affected Versions Jenkins XebiaLabs XL Release Plugin versions 22.0.0 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. The vulnerability is due to the lack of permission checks in methods implementing form validation, which can be exploited by attackers with Overall/Read permission. Additionally, the form validation methods do not require POST requests, further facilitating the CSRF vulnerability.

Recommendations For Jenkins XebiaLabs XL Release Plugin versions 22.0.0 and earlier, update to version 22.0.1 or later, which requires POST requests and Overall/Administer permission for the affected form validation methods. As a temporary workaround, consider restricting access to the form validation methods to minimize the risk of exploitation.