Moderate severityNVD Advisory· Published Jan 12, 2022· Updated Aug 3, 2024
CVE-2022-23111
CVE-2022-23111
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:publish-over-sshMaven | < 1.23 | 1.23 |
Affected products
1- Range: unspecified
Patches
121bf41adbce9[SECURITY-2290] add missing @RequirePOST
3 files changed · +6 −0
src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshCredentialsDescriptor.java+2 −0 modified@@ -37,6 +37,7 @@ import jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.Stapler; +import org.kohsuke.stapler.interceptor.RequirePOST; import java.io.IOException; @@ -73,6 +74,7 @@ public FormValidation doCheckKeyPath(@QueryParameter final String value) { } } + @RequirePOST public FormValidation doTestConnection(@QueryParameter final String configName, @QueryParameter final String username, @QueryParameter final String encryptedPassphrase, @QueryParameter final String key, @QueryParameter final String keyPath) {
src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshHostConfigurationDescriptor.java+2 −0 modified@@ -35,6 +35,7 @@ import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; +import org.kohsuke.stapler.interceptor.RequirePOST; @Extension public class BapSshHostConfigurationDescriptor extends Descriptor<BapSshHostConfiguration> { @@ -84,6 +85,7 @@ public FormValidation doCheckKeyPath(@QueryParameter final String value) { return BPValidators.validateFileOnMaster(value); } + @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { final BapSshPublisherPlugin.Descriptor pluginDescriptor; Jenkins j = Jenkins.getInstanceOrNull();
src/main/java/jenkins/plugins/publish_over_ssh/descriptor/BapSshPublisherPluginDescriptor.java+2 −0 modified@@ -53,6 +53,7 @@ import jenkins.plugins.publish_over_ssh.options.SshDefaults; import jenkins.plugins.publish_over_ssh.options.SshPluginDefaults; import net.sf.json.JSONObject; +import org.kohsuke.stapler.interceptor.RequirePOST; @SuppressWarnings("PMD.TooManyMethods") public class BapSshPublisherPluginDescriptor extends BuildStepDescriptor<Publisher> { @@ -190,6 +191,7 @@ public jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages getCom return new jenkins.plugins.publish_over.view_defaults.manage_jenkins.Messages(); } + @RequirePOST public FormValidation doTestConnection(final StaplerRequest request, final StaplerResponse response) { final BapSshHostConfiguration hostConfig = request.bindParameters(BapSshHostConfiguration.class, ""); hostConfig.setCommonConfig(request.bindParameters(BapSshCommonConfiguration.class, "common."));
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-884c-9wwh-9p6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23111ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/12/6ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/publish-over-ssh-plugin/commit/21bf41adbce9e71d3f77e113e29bf81d437cadc3ghsaWEB
- github.com/jenkinsci/publish-over-ssh-plugin/releases/tag/publish-over-ssh-1.23ghsaWEB
- www.jenkins.io/security/advisory/2022-01-12/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.