CVE-2022-41249

Name of the Vulnerable Software and Affected Versions Jenkins SCM HttpClient Plugin versions 1.5 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The vulnerability is due to a lack of permission check in a method implementing form validation, which can be exploited by attackers with Overall/Read permission. This form validation method does not require POST requests, resulting in the CSRF vulnerability.

Recommendations For Jenkins SCM HttpClient Plugin versions 1.5 and earlier, consider disabling the plugin until a patch is available to prevent attackers from exploiting the CSRF vulnerability. Restrict access to the form validation method to minimize the risk of exploitation. Avoid using the credentials IDs in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.