CVE-2022-20612
published 2022-01-12CVE-2022-20612: A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without…
PriorityP421medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
1.78%
75.5th percentile
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | active_directory_plugin | — | — |
| jenkins | badge_plugin | — | — |
| jenkins | bitbucket_branch_source_plugin | — | — |
| jenkins | configuration_as_code_plugin | — | — |
| jenkins | conjur_secrets_plugin | — | — |
| jenkins | credentials_binding_plugin | — | — |
| jenkins | credentials_plugin | — | — |
| jenkins | debian_package_builder_plugin | — | — |
| jenkins | docker_commons_plugin | — | — |
| jenkins | groovy_plugin | — | — |
| jenkins | hashicorp_vault_plugin | — | — |
| jenkins | ids_in_bitbucket_branch_source_plugin | — | — |
| jenkins | improper_credentials_masking_in_hashicorp_vault_plugin | — | — |
| jenkins | jenkins | <= 2.319.1 | — |
| jenkins | jenkins | <= 2.329 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_ui_requesting_they_update_the_plugin | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | mailer_plugin | — | — |
| jenkins | matrix_project_plugin | — | — |
| jenkins | metrics_plugin | — | — |
| jenkins | publish_over_ssh_plugin | — | — |
| jenkins | ssh_agent_plugin | — | — |
| jenkins | warnings_plugin | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
vendor_oracle4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Communications Risk Matrix: Automated Test Suite Framework (Jenkins) — CVE-2022-20612
vendor_oracle·2022-04-15·CVSS 4.3
CVE-2022-20612 [MEDIUM] Oracle Oracle Communications Risk Matrix: Automated Test Suite Framework (Jenkins) — CVE-2022-20612
Oracle Oracle Communications Risk Matrix: Automated Test Suite Framework (Jenkins) vulnerability
CVE: CVE-2022-20612
CVSS: 4.3
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2022 (APR 2022)
Jenkins
Jenkins Security Advisory 2022-01-12
vendor_jenkins·2022-01-12·CVSS 4.3
CVE-2022-20612 [MEDIUM] Jenkins Security Advisory 2022-01-12
Title: Jenkins Security Advisory 2022-01-12
Jenkins Security Advisory 2022-01-12
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Active Directory
Plugin
Badge
Plugin
batch task
Plugin
Bitbucket Branch Source
Plugin
Configuration as Code
Plugin
Conjur Secrets
Plugin
Credential
Red Hat
jenkins: no POST request is required for the endpoint handling manual build requests which could result in CSRF
vendor_redhat·2022-01-12·CVSS 4.3
CVE-2022-20612 [MEDIUM] CWE-352 jenkins: no POST request is required for the endpoint handling manual build requests which could result in CSRF
jenkins: no POST request is required for the endpoint handling manual build requests which could result in CSRF
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.
A Cross-site request forgery (CSRF) vulnerability was found in Jenkins. The POST requests are not required for the HTTP endpoint handling manual build requests when no security realm is set. This flaw allows an attacker to trigger the building of a job without parameters.
Package: jenkins (Red Hat Fuse 7) - Not affected
GHSA
Cross-Site Request Forgery in Jenkins
ghsa·2022-01-21
CVE-2022-20612 [MEDIUM] CWE-352 Cross-Site Request Forgery in Jenkins
Cross-Site Request Forgery in Jenkins
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to trigger build of job without parameters.
Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.
OSV
Cross-Site Request Forgery in Jenkins
osv·2022-01-21
CVE-2022-20612 [MEDIUM] Cross-Site Request Forgery in Jenkins
Cross-Site Request Forgery in Jenkins
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to trigger build of job without parameters.
Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2022/01/12/6https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558https://www.oracle.com/security-alerts/cpuapr2022.htmlhttp://www.openwall.com/lists/oss-security/2022/01/12/6https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558https://www.oracle.com/security-alerts/cpuapr2022.html
2022-01-12
Published