CVE-2022-36908

Name of the Vulnerable Software and Affected Versions Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to check for the existence of an attacker-specified file path on the Jenkins controller file system and to upload a SSH key file from the Jenkins controller file system to an attacker-specified URL. The issue is related to insufficient authentication of requests, which can be exploited by a remote attacker to perform arbitrary actions on the vulnerable device. The vulnerability is also associated with a lack of permission checks in form validation methods, which do not require POST requests.

Recommendations For Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier, consider disabling the form validation methods that do not require POST requests as a temporary workaround until a patch is available. Restrict access to the Jenkins controller file system to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.