CSRF Vulnerability in Jenkins CloudBees AWS Credentials Plugin
CVE-2022-27198

8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Cloudbees Aws Credentials Plugin
Vendor: CVE Published:; 15 March 2022

What is CVE-2022-27198?

A cross-site request forgery (CSRF) vulnerability has been identified in the Jenkins CloudBees AWS Credentials Plugin, enabling attackers with Overall/Read permission to initiate actions on AWS services using an attacker-defined token. This security flaw could allow unauthorized access, potentially compromising AWS credentials and exposing sensitive data.

Affected Version(s)

Jenkins CloudBees AWS Credentials Plugin <= 189.v3551d5642995

Jenkins CloudBees AWS Credentials Plugin 1.28.2

Jenkins CloudBees AWS Credentials Plugin 1.32.1

References

https://www.jenkins.io/security/advisory/2022-03-15/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/03/15/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 15, 2022
Vulnerability Reserved
Mar 15, 2022