CVE-2022-41245

Name of the Vulnerable Software and Affected Versions Jenkins Worksoft Execution Manager Plugin versions 10.0.3.503 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The issue arises from a lack of permission check in a method implementing form validation, which can be exploited by attackers with Overall/Read permission. This form validation method also does not require POST requests, contributing to the CSRF vulnerability.

Recommendations For Jenkins Worksoft Execution Manager Plugin versions 10.0.3.503 and earlier, consider disabling the form validation method until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of capturing credentials stored in Jenkins. As a temporary workaround, ensure that only trusted users have Overall/Read permission to reduce the attack surface.