Cross-Site Request Forgery in Jenkins OpenShift Deployer Plugin
CVE-2022-36908

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Openshift Deployer Plugin
Vendor: CVE Published:; 27 July 2022

What is CVE-2022-36908?

The Jenkins OpenShift Deployer Plugin is susceptible to a cross-site request forgery (CSRF) vulnerability that enables attackers to potentially check for the existence of specified file paths on the Jenkins controller file system. Moreover, attackers can exploit this vulnerability to upload SSH key files from the Jenkins controller file system to a maliciously designated URL. This can lead to unauthorized access and manipulation of server resources. Users of affected versions are strongly advised to update to the latest version to mitigate risks.

Affected Version(s)

Jenkins OpenShift Deployer Plugin <= 1.2.0

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/07/27/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 27, 2022
Vulnerability Reserved
Jul 27, 2022