CVE-2022-25208
Description
Missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier lets attackers with Overall/Read permission send HTTP requests to attacker-controlled URLs and parse XML responses, risking SSRF or info disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier lets attackers with Overall/Read permission send HTTP requests to attacker-controlled URLs and parse XML responses, risking SSRF or info disclosure.
Vulnerability
The Jenkins Chef Sinatra Plugin versions 1.20 and earlier lack a permission check in a certain functionality. This allows users with Overall/Read permission (the lowest access level) to trigger the plugin to send an HTTP request to an attacker-specified URL and parse the XML response. [1][3]
Exploitation
An attacker with Overall/Read permission can craft a request to the plugin that includes a URL under their control. Jenkins will then send an HTTP GET request to that URL and parse the returned XML content. No additional authentication or user interaction is required beyond having the Overall/Read permission. [1]
Impact
Successful exploitation enables the attacker to make Jenkins initiate outbound HTTP connections to arbitrary hosts, potentially leading to server-side request forgery (SSRF) or information disclosure if the XML parser processes external entities. The exact impact depends on the network environment and the XML parser's configuration. [1][3]
Mitigation
As of the advisory date (2022-02-15), no fix has been released for the Chef Sinatra Plugin. The plugin is listed as having an unresolved security issue. Users are advised to disable or remove the plugin if not needed, or restrict network access from the Jenkins controller to untrusted hosts. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:sinatra-chef-builderMaven | <= 1.20 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-fq56-c7rj-j3j9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25208ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/02/15/2ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-02-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-02-15Jenkins Security Advisories · Feb 15, 2022