VYPR
← All advisories
High severityNVD Advisory· Published Mar 15, 2022· Updated Aug 3, 2024

CVE-2022-27198

CVE-2022-27198

Description

CSRF in Jenkins CloudBees AWS Credentials Plugin allows attackers with Overall/Read to use attacker-specified AWS tokens.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CSRF in Jenkins CloudBees AWS Credentials Plugin allows attackers with Overall/Read to use attacker-specified AWS tokens.

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins CloudBees AWS Credentials Plugin versions 189.v3551d5642995 and earlier. This allows an attacker to perform actions on behalf of a victim user without their consent, specifically to connect to an AWS service using an attacker-specified token. The vulnerability requires that the target user has Overall/Read permission [1][2].

Exploitation

An attacker can craft a malicious web page or link that, when accessed by an authenticated Jenkins user with Overall/Read permission, triggers a cross-site request to the Jenkins server. This request uses the victim's session to modify AWS credentials configuration, enabling the attacker to substitute their own AWS token. No special network position is required; the attacker only needs to trick the victim into interacting with the malicious content [1][2].

Impact

Successful exploitation allows the attacker to connect to any AWS service using the attacker-specified token, potentially gaining unauthorized access to AWS resources. The attacker can leverage the victim's Jenkins permissions to perform actions that the victim is authorized for, but with the attacker's own AWS credentials, leading to data exposure or misuse of AWS services [1][2].

Mitigation

The vulnerability is fixed in CloudBees AWS Credentials Plugin version 191.vcb_f183ce58b_9, released on 2022-03-15 [2]. Users should upgrade to this version or later. There is no known workaround; disabling the plugin or restricting Overall/Read permission can reduce risk but may impact functionality [1][2].

References
  1. Jenkins Security Advisory 2022-03-15
  2. security - Multiple vulnerabilities in Jenkins plugins

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:aws-credentialsMaven
<= 189.v3551d5642995

Affected products

2

Patches

1
cbf183ce58b9

[SECURITY-2351]

https://github.com/jenkinsci/aws-credentials-pluginAntonio MuñizMar 7, 2022via ghsa
commit
1 file changed · +6 0
  • src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.java+6 0 modified
    @@ -56,6 +56,7 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.verb.POST;
 
 import java.net.HttpURLConnection;
 import java.util.logging.Level;
@@ -280,13 +281,18 @@ public String getDisplayName() {
 
         public static final Integer DEFAULT_STS_TOKEN_DURATION = STS_CREDENTIALS_DURATION_SECONDS;
 
+        @POST
         public FormValidation doCheckSecretKey(@QueryParameter("accessKey") final String accessKey,
                                                @QueryParameter("iamRoleArn") final String iamRoleArn,
                                                @QueryParameter("iamExternalId") final String iamExternalId,
                                                @QueryParameter("iamMfaSerialNumber") final String iamMfaSerialNumber,
                                                @QueryParameter("iamMfaToken") final String iamMfaToken,
                                                @QueryParameter("stsTokenDuration") final Integer stsTokenDuration,
                                                @QueryParameter final String secretKey) {
+            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+                // for security reasons, do not perform any check if the user is not an admin
+                return FormValidation.ok();
+            }
             if (StringUtils.isBlank(accessKey) && StringUtils.isBlank(secretKey)) {
                 return FormValidation.ok();
             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1