CVE-2022-41236

Name of the Vulnerable Software and Affected Versions Jenkins Security Inspector Plugin versions 117.v6eecc36919c2 and earlier

Description The issue is related to insufficient authentication of executed POST requests, allowing a remote attacker to perform a cross-site request forgery (CSRF) attack. This vulnerability enables attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the /report URL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result.

Recommendations For Jenkins Security Inspector Plugin versions 117.v6eecc36919c2 and earlier, as a temporary workaround, consider restricting access to the /report URL until a patch is available. Additionally, be cautious of reports generated by the plugin, as they may be based on attacker-specified options. At the moment, there is no information about a newer version that contains a fix for this vulnerability.