CVE-2022-25198
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in Jenkins SCP publisher Plugin version 1.8 and earlier [1]. This allows attackers to craft a malicious request that, when executed by a Jenkins user with appropriate permissions, changes the plugin configuration to connect to an attacker-specified SSH server using attacker-specified credentials.
Exploitation
To exploit this, an attacker must trick a Jenkins user (e.g., an administrator) into clicking a crafted link or visiting a malicious page while authenticated to Jenkins. The attacker then sends a CSRF request that modifies the plugin settings, specifying the SSH server and credentials under their control.
Impact
Successful exploitation enables the attacker to have the SCP publisher plugin connect to an attacker-controlled SSH server, potentially leading to unauthorized data transfer, exfiltration, or further compromise of the Jenkins environment.
Mitigation
The plugin is deprecated and no longer maintained [3]. As of February 2022, no fix is planned. The recommended mitigation is to uninstall the plugin if not required. Administrators can also enable CSRF protection in Jenkins, though the plugin may not fully honor it. Users should consider alternative methods for SCP transfers.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:scpMaven | <= 1.8 | — |
Affected products
3<=1.8+ 1 more
- (no CPE)range: <=1.8
- (no CPE)range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7g7g-82fp-hpxxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25198ghsaADVISORY
- www.jenkins.io/security/advisory/2022-02-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-02-15Jenkins Security Advisories · Feb 15, 2022