CVE-2022-41254

Name of the Vulnerable Software and Affected Versions Jenkins CONS3RT Plugin versions 1.0.0 and earlier

Description The issue arises from missing permission checks in the Jenkins CONS3RT Plugin, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs. This can lead to the capture of credentials stored in Jenkins. Furthermore, the form validation methods in the plugin do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Recommendations For Jenkins CONS3RT Plugin versions 1.0.0 and earlier, consider disabling the plugin until a patch is available to prevent attackers from exploiting the missing permission checks and CSRF vulnerability. Restrict access to the plugin's form validation methods to minimize the risk of exploitation. Avoid using the plugin to connect to HTTP servers using attacker-specified credentials IDs until the issue is resolved.