VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 8, 2021· Updated Aug 3, 2024

CVE-2021-22512

CVE-2021-22512

Description

CSRF vulnerability in Jenkins Micro Focus Application Automation Tools Plugin allows unauthorized form validation in versions 6.7 and earlier.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CSRF vulnerability in Jenkins Micro Focus Application Automation Tools Plugin allows unauthorized form validation in versions 6.7 and earlier.

Vulnerability

The Micro Focus Application Automation Tools Plugin (now OpenText Application Automation Tools Plugin) for Jenkins is vulnerable to Cross-Site Request Forgery (CSRF) in versions 6.7 and earlier [1]. The plugin's doDynamic method in AlmServerSettingsGlobalConfiguration and other related classes perform form validation and other actions without requiring a POST request or proper permission checks, allowing CSRF attacks [2][3].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link or script that, when clicked by a authenticated Jenkins user, triggers an unauthorized action such as form validation, clearing job list cache, or re-enqueuing events. No special network position or authentication is required beyond tricking a user into visiting a crafted page [3]. The attack does not require the victim to have any special permissions beyond being logged into Jenkins.

Impact

Successful CSRF exploitation allows an attacker to perform form validation and other plugin-specific actions without proper permission checks [1]. This could lead to unauthorized modifications of plugin settings or denial of service, though the concrete impact depends on the actions performed [3]. The vulnerability does not directly lead to arbitrary code execution, but may enable further attacks.

Mitigation

The vulnerability is fixed in version 6.8 of the plugin, which adds proper permission checks (e.g., Jenkins.READ, Jenkins.ADMINISTER) to the affected endpoints [2]. Users should upgrade to the latest version of OpenText Application Automation Tools Plugin from the Jenkins update center [4]. No workarounds are available for earlier versions.

References
  1. NVD - CVE-2021-22512
  2. [SECURITY-2132] · jenkinsci/hpe-application-automation-tools-plugin@497a143
  3. Jenkins Security Advisory 2021-04-07
  4. GitHub - jenkinsci/hpe-application-automation-tools-plugin: Jenkins plugin to run OpenText Application Automation Tools

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:hp-application-automation-tools-pluginMaven
< 6.86.8

Affected products

1

Patches

1
497a143d9a95

[SECURITY-2132]

https://github.com/jenkinsci/hpe-application-automation-tools-pluginPaul-Adrian-TofanMar 30, 2021via ghsa
commit
5 files changed · +18 1
  • src/main/java/com/microfocus/application/automation/tools/octane/actions/PluginActions.java+5 0 modified
    @@ -35,6 +35,7 @@
 import com.microfocus.application.automation.tools.octane.configuration.ConfigurationService;
 import hudson.Extension;
 import hudson.model.RootAction;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.apache.http.entity.ContentType;
 import org.kohsuke.stapler.StaplerRequest;
@@ -84,19 +85,23 @@ public String getUrlName() {
 
     public void doDynamic(StaplerRequest req, StaplerResponse res) throws IOException {
 
+        Jenkins.get().checkPermission(Jenkins.READ);
         res.setHeader(CONTENT_TYPE, ContentType.TEXT_PLAIN.getMimeType());
         res.setStatus(200);
         if (req.getRequestURI().toLowerCase().contains(STATUS_REQUEST)) {
             JSONObject result = getStatusResult(req.getParameterMap());
             res.setHeader(CONTENT_TYPE, ContentType.APPLICATION_JSON.getMimeType());
             res.getWriter().write(result.toString());
         } else if (req.getRequestURI().toLowerCase().contains(REENQUEUE_EVENT_REQUEST)) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             reEnqueueEvent(req.getParameterMap());
             res.getWriter().write("resent");
         } else if (req.getRequestURI().toLowerCase().contains(CLEAR_JOB_LIST_CACHE)) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             resetJobListCache();
             res.getWriter().write("done");
         } else if (req.getRequestURI().toLowerCase().contains(CLEAR_OCTANE_ROOTS_CACHE)) {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             resetOctaneRootsCache();
             res.getWriter().write("done");
         } else if (req.getRequestURI().toLowerCase().contains(OCTANE_ROOTS_CACHE)) {
  • src/main/java/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration.java+4 0 modified
    @@ -37,12 +37,14 @@
 import hudson.XmlFile;
 import hudson.util.FormValidation;
 import jenkins.model.GlobalConfiguration;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONArray;
 import net.sf.json.JSONObject;
 import org.apache.commons.lang.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import java.io.IOException;
 import java.io.Serializable;
@@ -125,7 +127,9 @@ public boolean configure(StaplerRequest req, JSONObject formData) throws FormExc
         return super.configure(req, formData);
     }
 
+    @RequirePOST
     public FormValidation doCheckAlmServerUrl(@QueryParameter String value) {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         return checkQcServerURL(value, false);
     }
  • src/main/java/com/microfocus/application/automation/tools/settings/OctaneServerSettingsGlobalConfiguration.java+4 0 modified
    @@ -48,13 +48,15 @@
 import hudson.util.FormValidation;
 import hudson.util.Secret;
 import jenkins.model.GlobalConfiguration;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONArray;
 import net.sf.json.JSONObject;
 import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import java.io.Serializable;
 import java.util.*;
@@ -347,6 +349,7 @@ private void fireOnChanged(OctaneServerSettingsModel newConf, OctaneServerSettin
         }
     }
 
+    @RequirePOST
     @SuppressWarnings("unused")
     public FormValidation doTestConnection(StaplerRequest req,
                                            @QueryParameter("uiLocation") String uiLocation,
@@ -357,6 +360,7 @@ public FormValidation doTestConnection(StaplerRequest req,
                                            @QueryParameter("workspace2ImpersonatedUserConf") String workspace2ImpersonatedUserConf,
                                            @QueryParameter("parameters") String parameters
     ) {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         String myImpersonatedUser = StringUtils.trim(impersonatedUser);
         String myUsername = StringUtils.trim(username);
         OctaneUrlParser octaneUrlParser;
  • src/main/java/com/microfocus/application/automation/tools/settings/SvServerSettingsGlobalConfiguration.java+4 0 modified
    @@ -38,10 +38,12 @@
 import hudson.XmlFile;
 import hudson.util.FormValidation;
 import jenkins.model.GlobalConfiguration;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import java.io.Serializable;
 import java.net.MalformedURLException;
@@ -135,10 +137,12 @@ public FormValidation doCheckPassword(@QueryParameter String value, @QueryParame
         return FormValidation.ok();
     }
 
+    @RequirePOST
     @SuppressWarnings("unused")
     public FormValidation doTestConnection(@QueryParameter("url") final String url, @QueryParameter("username") final String username,
                                            @QueryParameter("password") final String password) {
         try {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             Credentials credentials = (!StringUtils.isBlank(username)) ? new Credentials(username, password) : null;
             ICommandExecutor commandExecutor = new CommandExecutorFactory().createCommandExecutor(new URL(url), credentials);
             ServerInfo serverInfo = commandExecutor.getClient().getServerInfo();
  • src/main/resources/com/microfocus/application/automation/tools/settings/AlmServerSettingsGlobalConfiguration/config.jelly+1 1 modified
    @@ -50,7 +50,7 @@
 			</f:entry>
 
 			<f:entry title="${%ALM server URL}" field="almServerUrl">
-				<f:textbox value="${inst.almServerUrl}" name="alm.almServerUrl" />
+				<f:textbox value="${inst.almServerUrl}" name="alm.almServerUrl" checkMethod="post" />
 			</f:entry>
 
             <f:entry>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1