CVE-2022-41250

Name of the Vulnerable Software and Affected Versions Jenkins SCM HttpClient Plugin versions 1.5 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. The form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Recommendations For Jenkins SCM HttpClient Plugin versions 1.5 and earlier, consider disabling the plugin until a patch is available to prevent attackers from capturing credentials stored in Jenkins. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin to connect to HTTP servers using attacker-specified credentials IDs until the issue is resolved.