CVE-2022-27204
Description
Jenkins Extended Choice Parameter Plugin ≤346.vd87693c5a_86c is vulnerable to CSRF, allowing attackers to make the plugin connect to an attacker-specified URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Extended Choice Parameter Plugin ≤346.vd87693c5a_86c is vulnerable to CSRF, allowing attackers to make the plugin connect to an attacker-specified URL.
Vulnerability
The Extended Choice Parameter Plugin in Jenkins versions 346.vd87693c5a_86c and earlier contains a cross-site request forgery (CSRF) vulnerability [1][2]. The plugin does not require a CSRF token or validate the origin of requests, enabling an attacker to trigger arbitrary HTTP connections to attacker-specified URLs from the Jenkins controller [1]. The affected versions are all releases up to and including the one mentioned [1].
Exploitation
An attacker can craft a malicious HTML page or email that, when viewed by a Jenkins user with the necessary permissions, sends an unauthorized request to the Jenkins instance [1]. The request must target the plugin’s functionality that initiates outbound connections. No authentication or special privileges on the Jenkins instance are required beyond the victim having a valid session and permission to access the affected plugin configuration page [2].
Impact
A successful CSRF attack allows the attacker to force the Jenkins server to connect to an arbitrary URL [1]. This can be leveraged to perform server-side request forgery (SSRF) attacks, potentially leading to internal network reconnaissance, denial of service, or exploitation of other vulnerabilities on internal services [4]. The attack does not directly result in data theft or code execution on the Jenkins controller, but it may be used as a stepping stone for further attacks.
Mitigation
As of the publication date (2022-03-15), no official fix has been released for the Extended Choice Parameter Plugin [1]. The plugin is considered end-of-life, and no further development is expected [3]. Users are advised to migrate to alternative plugins, such as Active Choices or Json Editor Parameter, which provide similar functionality without the security issues [3]. No workaround is available from the plugin itself [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:extended-choice-parameterMaven | < 356.va_90a_94ca_62ec | 356.va_90a_94ca_62ec |
Affected products
2- Range: unspecified
Patches
1eff9472b64f6CVE-2022-27204
1 file changed · +5 −0
src/main/java/com/cwctravel/hudson/plugins/extended_choice_parameter/ExtendedChoiceParameterDefinition.java+5 −0 modified@@ -59,6 +59,7 @@ import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.Stapler; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.verb.POST; import com.opencsv.CSVReader; import groovy.lang.Binding; @@ -114,6 +115,7 @@ public String getDisplayName() { return Messages.ExtendedChoiceParameterDefinition_DisplayName(); } + @POST public FormValidation doCheckPropertyFile(@QueryParameter final String propertyFile, @QueryParameter final String propertyKey, @QueryParameter final String type) throws IOException, ServletException { if(StringUtils.isBlank(propertyFile)) { @@ -158,16 +160,19 @@ else if(StringUtils.isNotBlank(propertyKey)) { } } + @POST public FormValidation doCheckPropertyKey(@QueryParameter final String propertyFile, @QueryParameter final String propertyKey, @QueryParameter final String type) throws IOException, ServletException { return doCheckPropertyFile(propertyFile, propertyKey, type); } + @POST public FormValidation doCheckDefaultPropertyFile(@QueryParameter final String defaultPropertyFile, @QueryParameter final String defaultPropertyKey, @QueryParameter final String type) throws IOException, ServletException { return doCheckPropertyFile(defaultPropertyFile, defaultPropertyKey, type); } + @POST public FormValidation doCheckDefaultPropertyKey(@QueryParameter final String defaultPropertyFile, @QueryParameter final String defaultPropertyKey, @QueryParameter final String type) throws IOException, ServletException { return doCheckPropertyFile(defaultPropertyFile, defaultPropertyKey, type);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fqpx-xfjr-2qr9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-27204ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/03/15/2ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/extended-choice-parameter-plugin/commit/eff9472b64f68749e5272aa59b68e561fb4ab4cdghsaWEB
- www.jenkins.io/security/advisory/2022-03-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-03-15Jenkins Security Advisories · Mar 15, 2022