Moderate severityNVD Advisory· Published Jan 12, 2022· Updated Aug 3, 2024

CVE-2022-20613

Description

A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Mailer Plugin prior to 408.vd726a_1130320 has a CSRF vulnerability allowing attackers to resolve an attacker-specified hostname using the Jenkins DNS.

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Mailer Plugin versions 391.ve4a_38c1b_cf4b_ and earlier. The plugin's form validation method does not require a POST request, enabling attackers to craft a request that, if executed by an authenticated administrator, uses the DNS resolver of the Jenkins instance to resolve an attacker-specified hostname. This affects the Mailer Plugin up to and including version 391.ve4a_38c1b_cf4b_ [1][2][3].

Exploitation

To exploit this vulnerability, an attacker must trick a Jenkins user with at least Overall/Read access into visiting a malicious page or link that triggers a cross-site request. The attacker can then use the DNS resolution capability of the Jenkins instance to resolve a hostname of their choice. No authentication or write access is needed beyond the victim's session, and the attack does not require any race window conditions [1][2].

Impact

Successful exploitation allows the attacker to use the Jenkins instance's DNS to resolve an attacker-specified hostname. This could be used to probe internal network resources, map the network, or exfiltrate information via DNS queries, though the direct outcome is limited to DNS resolution. The attacker does not gain direct code execution or data modification [1][2].

Mitigation

The Jenkins Mailer Plugin version 408.vd726a_1130320, released on 2022-01-12, fixes this vulnerability by requiring POST requests and Overall/Administer permission for the affected form validation method. Users should upgrade to this version or later. No known workarounds exist for earlier versions, and this issue is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2][3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:mailerMaven	>= 391.ve4a38c1bcf4b, < 408.vd726a	408.vd726a
org.jenkins-ci.plugins:mailerMaven	< 1.34.2	1.34.2

Affected products

Jenkins Project/mailer-pluginllm-fuzzy
Range: <=391.ve4a_38c1b_cf4b_
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/mailer
Range: >= 391.ve4a38c1bcf4b, < 408.vd726a
Jenkins Project/MATLAB Plugincpe-rescue
Range: unspecified

Patches

5e6051fae61a

[SECURITY-2163]

https://github.com/jenkinsci/mailer-pluginYaroslav AfenkinDec 7, 2021via ghsa

commit

3 files changed · +39 −4

src/main/java/hudson/tasks/Mailer.java+3 −1 modified

@@ -668,7 +668,9 @@ public FormValidation doAddressCheck(@QueryParameter String value) {
             }
         }
 
-        public FormValidation doCheckSmtpServer(@QueryParameter String value) {
+        @RequirePOST
+        public FormValidation doCheckSmtpHost(@QueryParameter String value) {
+            Jenkins.get().checkPermission(getJenkinsManageOrAdmin());
             try {
                 if (Util.fixEmptyAndTrim(value)!=null)
                     InetAddress.getByName(value);

src/main/resources/hudson/tasks/Mailer/global.jelly+1 −1 modified

@@ -26,7 +26,7 @@ THE SOFTWARE.
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:section title="${%E-mail Notification}">
     <f:entry title="${%SMTP server}" field="smtpHost">
-      <f:textbox />
+      <f:textbox checkMethod="post" />
     </f:entry>
     <f:entry title="${%Default user e-mail suffix}" field="defaultSuffix">
       <f:textbox />

src/test/java/hudson/tasks/MailerTest.java+35 −2 modified

@@ -30,6 +30,7 @@
 import hudson.model.*;
 import hudson.security.ACL;
 import hudson.security.ACLContext;
+import hudson.security.AccessDeniedException2;
 import hudson.security.Permission;
 import hudson.slaves.DumbSlave;
 import hudson.tasks.Mailer.DescriptorImpl;
@@ -67,15 +68,16 @@
 import java.util.Optional;
 import java.util.concurrent.atomic.AtomicLong;
 
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.empty;
+import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNotSame;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.hasSize;
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 
 /**
@@ -471,6 +473,37 @@ public void managePermissionShouldAccessGlobalConfig() {
         }
     }
 
+
+    @Test
+    @Issue("SECURITY-2163")
+    public void doCheckSmtpServerShouldThrowExceptionForUserWithoutManagePermissions() {
+        final String USER = "user";
+        rule.jenkins.setSecurityRealm(rule.createDummySecurityRealm());
+        rule.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Jenkins.READ).everywhere().to(USER)
+        );
+        final String expectedErrorMessage = "hudson.security.AccessDeniedException2: user is missing the Overall/Administer permission";
+
+        try (ACLContext ignored = ACL.as(User.getById(USER, true))) {
+            assertThrows(expectedErrorMessage, AccessDeniedException2.class,
+                    () -> Mailer.descriptor().doCheckSmtpHost("domain.com"));
+        }
+    }
+
+    @Test
+    @Issue("SECURITY-2163")
+    public void doCheckSmtpServerShouldNotThrowForUserWithManagePermissions() {
+        final String MANAGER = "manage";
+        rule.jenkins.setSecurityRealm(rule.createDummySecurityRealm());
+        rule.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Jenkins.MANAGE).everywhere().to(MANAGER)
+        );
+
+        try (ACLContext ignored = ACL.as(User.getById(MANAGER, true))) {
+            Mailer.descriptor().doCheckSmtpHost("domain.com");
+        }
+    }
+
     // TODO: remove when Jenkins core baseline is 2.222+
     private Permission getJenkinsManage() throws NoSuchMethodException, IllegalAccessException,
                                                  InvocationTargetException {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-85rq-hp8x-ghjqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-20613ghsaADVISORY
www.openwall.com/lists/oss-security/2022/01/12/6ghsamailing-listWEB
github.com/jenkinsci/mailer-plugin/commit/5e6051fae61a43564e22aa89cb24ed8a42a26052ghsaWEB
www.jenkins.io/security/advisory/2022-01-12/ghsaWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB

News mentions

Jenkins Security Advisory 2022-01-12
Jenkins Security Advisories · Jan 12, 2022

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000