CVE-2022-27214

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Release Helper Plugin versions 1.3.3 and earlier. The plugin does not require a CSRF token for requests that trigger connections to external URLs, allowing an attacker to forge requests on behalf of an authenticated user. This affects all versions up to and including 1.3.3 [1][2].

Exploitation

An attacker must trick a Jenkins user with at least Job/Configure permissions into clicking a crafted link or visiting a malicious page. The attacker can specify an arbitrary URL and credentials (e.g., for JIRA or Confluence) that the plugin will use to connect. No direct network access to Jenkins is required; the attack relies on social engineering to trigger the CSRF request [1][2].

Impact

Successful exploitation enables the attacker to make the Jenkins server connect to an attacker-controlled URL using attacker-supplied credentials. This could lead to disclosure of sensitive information (e.g., credentials sent to the attacker's server) or be used as a stepping stone for further attacks against internal systems reachable from Jenkins. The attacker does not gain direct control over Jenkins but can abuse the plugin's network connectivity [1].

Mitigation

As of the advisory publication date (2022-03-15), no fixed version of the Release Helper Plugin has been released. The plugin is listed as unresolved in the Jenkins security advisory [1][2]. Mitigations include disabling the plugin if it is not required, or restricting outbound network access from the Jenkins controller to prevent connections to arbitrary URLs. Users should monitor for future updates.