CVE-2022-25200

Vulnerability

CVE-2022-25200 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Checkmarx Plugin, versions 2022.1.2 and earlier [1][3]. The plugin fails to require a CSRF token or other validation for requests that connect to an external webserver using attacker-specified credentials IDs, which may have been obtained through another method.

Exploitation

An attacker needs to trick an authenticated Jenkins user (with at least Overall/Read permission) into visiting a crafted web page or link while that user is logged into Jenkins. The CSRF attack uses the victim's session to send a malicious request to the Jenkins controller. In this request, the attacker supplies both the URL of an attacker-controlled webserver and the credentials ID of stored Jenkins credentials obtained via another vulnerability [1].

Impact

Upon successful exploitation, the plugin will connect to the attacker-specified webserver using the targeted credentials. This can result in the exfiltration of the credential values stored in Jenkins to the attacker, leading to disclosure of sensitive credentials [1][3]. The attacker gains no direct code execution on the Jenkins controller, but the C-I (confidentiality and integrity) impact is high due to credential theft.

Mitigation

As of February 2022, no fixed version of the Checkmarx Plugin has been released; the vulnerability remains unresolved in the affected versions [1][2]. Users should monitor the plugin's GitHub repository [4] for updates, restrict access to Jenkins to trusted users only, and ensure that no other vulnerability exposes credentials IDs. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.