CVE-2022-25194
Description
CSRF in Jenkins autonomiq Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins autonomiq Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
Vulnerability
The Jenkins autonomiq Plugin versions 1.15 and earlier contains a cross-site request forgery (CSRF) vulnerability. The plugin does not require POST requests or enforce appropriate permission checks for several form validation methods, allowing an attacker to craft malicious requests that a Jenkins administrator may unknowingly execute. Specifically, the affected methods include doFillProjectItems, doFillPlatformTestCasesItems, doFillPlatformTestSuitesItems, doFillBrowserTestCasesItems, and doFillBrowserTestSuitesItems [1][3]. These methods are intended to populate dropdown lists with data from the AutonomiQ service.
Exploitation
To exploit this vulnerability, an attacker needs to trick a Jenkins user with sufficient permissions (e.g., an administrator) into visiting a malicious web page or clicking a crafted link while authenticated to Jenkins. The attacker crafts a form submission or URL that triggers one of the unprotected methods, supplying an attacker-specified aiqUrl, login, password, and other parameters [1][3]. The request is executed in the context of the victim's session, allowing the attacker to connect Jenkins to an attacker-controlled server using attacker-specified credentials.
Impact
Successful exploitation allows the attacker to configure the autonomiq Plugin to connect to an attacker-controlled server with attacker-supplied credentials. This could lead to credential compromise (if the attacker captures credentials entered later), man-in-the-middle attacks, or further exploitation via malicious server responses. The attacker does not gain direct code execution or immediate data exfiltration from Jenkins, but the trust relationship between Jenkins and the external AutonomiQ service is subverted [1][2].
Mitigation
Jenkins has released autonomiq Plugin version 1.16, which adds @POST annotation and permission checks (Jenkins.ADMINISTER) to the vulnerable methods, thereby closing the CSRF vector [1][3]. Users should update to version 1.16 or later as soon as possible. No known workarounds exist; the only mitigation is to upgrade the plugin [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:autonomiqMaven | < 1.16 | 1.16 |
Affected products
2- Jenkins project/Jenkins autonomiq Pluginv5Range: unspecified
Patches
1e06b1ff67664added permission and csrf protection
1 file changed · +17 −0
src/main/java/io/jenkins/plugins/autonomiq/AutonomiqBuilder.java+17 −0 modified@@ -653,6 +653,7 @@ public String getDisplayName() { } @SuppressWarnings("unused") + @POST public ListBoxModel doFillProjectItems(@QueryParameter String aiqUrl, @QueryParameter String login, @QueryParameter Secret password, @@ -661,6 +662,8 @@ public ListBoxModel doFillProjectItems(@QueryParameter String aiqUrl, @QueryParameter String proxyUser, @QueryParameter Secret proxyPassword, @QueryParameter Boolean httpProxy) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + // make sure other fields have been filled in if (aiqUrl.length() > 0 && login.length() > 0 && Secret.toString(password).length() > 0) { @@ -681,7 +684,10 @@ public ListBoxModel doFillProjectItems(@QueryParameter String aiqUrl, } @SuppressWarnings("unused") + @POST public ListBoxModel doFillPlatformTestCasesItems() { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + String[] values = {"Linux"}; //, "Windows"}; @@ -690,7 +696,10 @@ public ListBoxModel doFillPlatformTestCasesItems() { return new ListBoxModel(options); } @SuppressWarnings("unused") + @POST public ListBoxModel doFillPlatformTestSuitesItems() { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + String[] values = {"Linux"}; //, "Windows"}; @@ -701,7 +710,10 @@ public ListBoxModel doFillPlatformTestSuitesItems() { @SuppressWarnings("unused") + @POST public ListBoxModel doFillBrowserTestCasesItems() { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + String[] values = {"Chrome", "Firefox"}; @@ -710,7 +722,9 @@ public ListBoxModel doFillBrowserTestCasesItems() { return new ListBoxModel(options); } @SuppressWarnings("unused") + @POST public ListBoxModel doFillBrowserTestSuitesItems() { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); String[] values = {"Chrome", "Firefox"}; @@ -720,7 +734,10 @@ public ListBoxModel doFillBrowserTestSuitesItems() { } @SuppressWarnings("unused") + @POST public ListBoxModel doFillExecutionModeItems() { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + String[] values = {"serial", "parallel"};
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-g5wh-fw4m-2v28ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25194ghsaADVISORY
- github.com/jenkinsci/autonomiq-plugin/commit/e06b1ff67664a90819c9561bbc12f4c6e593d1dcghsaWEB
- www.jenkins.io/security/advisory/2022-02-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-02-15Jenkins Security Advisories · Feb 15, 2022