CVE-2022-20612

CWE-352 — Cross-Site Request Forgery (CSRF)7 documents7 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 57.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Jenkins Jenkins Oracle Communications Cloud Native Core Automated Test Suite

Timeline

PublishedJan 12

Latest updateApr 15

Description

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶Mavenorg.jenkins-ci.main:jenkins-core2.320 — 2.330+1

▶NVDjenkins/jenkins2.319.1+1

▶CVEListV5jenkins_project/jenkinsunspecified — 2.329+1

▶NVDoracle/communications_cloud_native_core_automated_test_suite1.9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Cross-Site Request Forgery in Jenkins↗2022-01-21

▶

OSV

Cross-Site Request Forgery in Jenkins↗2022-01-21

▶

CVEList

CVE-2022-20612: A cross-site request forgery (CSRF) vulnerability in Jenkins 2↗2022-01-12

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Automated Test Suite Framework (Jenkins) — CVE-2022-20612↗2022-04-15

▶

Jenkins

Jenkins Security Advisory 2022-01-12↗2022-01-12

▶

Red Hat

jenkins: no POST request is required for the endpoint handling manual build requests which could result in CSRF↗2022-01-12

▶