CVE-2022-27205

Vulnerability

Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a_86c and earlier contain a missing permission check. Attackers with Overall/Read permission can cause the plugin to connect to an attacker-specified URL, enabling server-side request forgery (SSRF) [1][2]. The plugin is reported as end-of-life with no further development [3].

Exploitation

An attacker needs only Overall/Read permission, which is a low-privilege access level. By crafting a job configuration that utilizes the extended choice parameter's property file or URL-based options, the attacker can force the Jenkins controller to make an HTTP request to an arbitrary external or internal URL [1][2]. No additional authentication or user interaction is required.

Impact

Successful exploitation allows the attacker to perform SSRF attacks. This can be used to probe internal networks, access internal services (e.g., cloud metadata endpoints), or exfiltrate sensitive data from within the Jenkins environment. The attacker can reach resources that would otherwise be inaccessible from external networks [1][2].

Mitigation

No official fix is available as of the publication date (2022-03-15) [2]. The plugin is end-of-life, and no future updates are planned [3]. Users are advised to remove the plugin and switch to alternative parameter plugins such as Active Choices or Json Editor Parameter [3]. There is no workaround within the plugin itself.