CVE-2022-27210

Vulnerability

The Kubernetes Continuous Deploy Plugin versions 2.3.1 and earlier contain a cross-site request forgery (CSRF) vulnerability [1], [4]. The plugin's form validation endpoints fail to require a CSRF token, enabling an attacker to craft a malicious request that initiates an SSH connection to an attacker-specified server using attacker-specified credential IDs (obtained through another method) [1], [4].

Exploitation

An attacker must have network access to the Jenkins controller and convince a Jenkins user with sufficient permissions (typically Job/Configure or overall admin) to visit a malicious web page [1]. The attacker also needs to have previously obtained a valid credential ID (e.g., via an information disclosure vulnerability). When the victim user accesses the attacker-controlled page, a crafted CSRF request is sent to the plugin's form validation endpoint, causing Jenkins to connect to the attacker's SSH server and transmit the secret key associated with the provided credential ID [1], [4].

Impact

Successful exploitation allows the attacker to capture credentials stored in Jenkins by intercepting the SSH connection to their own server [1], [4]. This may expose SSH private keys, passwords, or other sensitive data, depending on the credentials the attacker is able to reference. The attack does not modify the Jenkins controller or its jobs, but it leaks stored secrets to the attacker.

Mitigation

No official patch was released for the Kubernetes Continuous Deploy Plugin. As noted in the Jenkins advisory, the plugin's distribution was suspended on 23 August 2022 due to an unresolved remote code execution vulnerability (SECURITY-2448) and remains suspended as of the last update [3]. Users should remove or disable the plugin if it is not in use. If necessary, apply the Jenkins security best practice of enforcing CSRF protection for all form submissions, and restrict access to the Jenkins controller to trusted networks [1], [2].