CVE-2022-41253

Name of the Vulnerable Software and Affected Versions Jenkins CONS3RT Plugin versions 1.0.0 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. The vulnerability is due to the lack of permission checks in methods implementing form validation, which can be exploited by attackers with Overall/Read permission. Additionally, the form validation methods do not require POST requests, contributing to the CSRF vulnerability.

Recommendations For Jenkins CONS3RT Plugin versions 1.0.0 and earlier, consider disabling the form validation methods until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of capturing credentials stored in Jenkins. At the moment, there is no information about a newer version that contains a fix for this vulnerability.