Moderate severityNVD Advisory· Published Jan 12, 2022· Updated Aug 3, 2024

CVE-2022-20614

Description

A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Mailer Plugin missing permission check allows attackers with Overall/Read to resolve arbitrary hostnames via DNS.

Vulnerability

Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier contains a missing permission check in the doCheckSmtpServer (or doCheckSmtpHost) form validation method. This method is used to validate the SMTP server hostname and does not verify that the user has the required permission (Overall/Administer) before performing a DNS lookup. The affected versions are all releases up to and including 391.ve4a_38c1b_cf4b_. [1][4]

Exploitation

An attacker with Overall/Read access to the Jenkins instance can send a crafted request to the form validation endpoint, specifying an arbitrary hostname. The Jenkins server will then attempt to resolve that hostname via DNS. No user interaction is required beyond the attacker's own request. The attack does not require POST requests in the vulnerable versions, but that aspect is covered by a separate CSRF vulnerability (CVE-2022-20613). [1][2]

Impact

A successful attack allows the attacker to use the Jenkins instance's DNS resolver to perform DNS lookups for arbitrary hostnames. This can be leveraged for DNS rebinding attacks, reconnaissance of internal network resources, or as a stepping stone for further exploitation. The impact is limited to DNS resolution, but it can reveal whether a hostname exists and potentially aid in network mapping. [1][3]

Mitigation

The vulnerability is fixed in Mailer Plugin 408.vd726a_1130320, released on 2022-01-12. The fix adds the @RequirePOST annotation and requires Overall/Administer permission for the affected form validation method. Users should upgrade to this version or later. No workaround is documented. [1][4]

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:mailerMaven	>= 391.ve4a38c1bcf4b, < 408.vd726a	408.vd726a
org.jenkins-ci.plugins:mailerMaven	< 1.34.2	1.34.2

Affected products

Jenkins Project/mailer-pluginllm-fuzzy
Range: <= 391.ve4a_38c1b_cf4b_
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/mailer
Range: >= 391.ve4a38c1bcf4b, < 408.vd726a
Jenkins Project/MATLAB Plugincpe-rescue
Range: unspecified

Patches

5e6051fae61a

[SECURITY-2163]

https://github.com/jenkinsci/mailer-pluginYaroslav AfenkinDec 7, 2021via ghsa

commit

3 files changed · +39 −4

src/main/java/hudson/tasks/Mailer.java+3 −1 modified

@@ -668,7 +668,9 @@ public FormValidation doAddressCheck(@QueryParameter String value) {
             }
         }
 
-        public FormValidation doCheckSmtpServer(@QueryParameter String value) {
+        @RequirePOST
+        public FormValidation doCheckSmtpHost(@QueryParameter String value) {
+            Jenkins.get().checkPermission(getJenkinsManageOrAdmin());
             try {
                 if (Util.fixEmptyAndTrim(value)!=null)
                     InetAddress.getByName(value);

src/main/resources/hudson/tasks/Mailer/global.jelly+1 −1 modified

@@ -26,7 +26,7 @@ THE SOFTWARE.
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:section title="${%E-mail Notification}">
     <f:entry title="${%SMTP server}" field="smtpHost">
-      <f:textbox />
+      <f:textbox checkMethod="post" />
     </f:entry>
     <f:entry title="${%Default user e-mail suffix}" field="defaultSuffix">
       <f:textbox />

src/test/java/hudson/tasks/MailerTest.java+35 −2 modified

@@ -30,6 +30,7 @@
 import hudson.model.*;
 import hudson.security.ACL;
 import hudson.security.ACLContext;
+import hudson.security.AccessDeniedException2;
 import hudson.security.Permission;
 import hudson.slaves.DumbSlave;
 import hudson.tasks.Mailer.DescriptorImpl;
@@ -67,15 +68,16 @@
 import java.util.Optional;
 import java.util.concurrent.atomic.AtomicLong;
 
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.empty;
+import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNotSame;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.hasSize;
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 
 /**
@@ -471,6 +473,37 @@ public void managePermissionShouldAccessGlobalConfig() {
         }
     }
 
+
+    @Test
+    @Issue("SECURITY-2163")
+    public void doCheckSmtpServerShouldThrowExceptionForUserWithoutManagePermissions() {
+        final String USER = "user";
+        rule.jenkins.setSecurityRealm(rule.createDummySecurityRealm());
+        rule.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Jenkins.READ).everywhere().to(USER)
+        );
+        final String expectedErrorMessage = "hudson.security.AccessDeniedException2: user is missing the Overall/Administer permission";
+
+        try (ACLContext ignored = ACL.as(User.getById(USER, true))) {
+            assertThrows(expectedErrorMessage, AccessDeniedException2.class,
+                    () -> Mailer.descriptor().doCheckSmtpHost("domain.com"));
+        }
+    }
+
+    @Test
+    @Issue("SECURITY-2163")
+    public void doCheckSmtpServerShouldNotThrowForUserWithManagePermissions() {
+        final String MANAGER = "manage";
+        rule.jenkins.setSecurityRealm(rule.createDummySecurityRealm());
+        rule.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Jenkins.MANAGE).everywhere().to(MANAGER)
+        );
+
+        try (ACLContext ignored = ACL.as(User.getById(MANAGER, true))) {
+            Mailer.descriptor().doCheckSmtpHost("domain.com");
+        }
+    }
+
     // TODO: remove when Jenkins core baseline is 2.222+
     private Permission getJenkinsManage() throws NoSuchMethodException, IllegalAccessException,
                                                  InvocationTargetException {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-558x-h7rg-997vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-20614ghsaADVISORY
www.openwall.com/lists/oss-security/2022/01/12/6ghsamailing-listWEB
github.com/jenkinsci/mailer-plugin/commit/5e6051fae61a43564e22aa89cb24ed8a42a26052ghsaWEB
www.jenkins.io/security/advisory/2022-01-12/ghsaWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB

News mentions

Jenkins Security Advisory 2022-01-12
Jenkins Security Advisories · Jan 12, 2022

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000