CVE-2022-28138

Vulnerability

The RocketChat Notifier Plugin for Jenkins, versions 1.4.10 and earlier, contains a cross-site request forgery (CSRF) vulnerability [1][2][3]. The plugin does not perform any CSRF protection on its configuration or connection endpoints, allowing a malicious web page to trigger requests on behalf of an authenticated Jenkins administrator. No special configuration is required; the default installation is affected.

Exploitation

An attacker must trick a Jenkins user with administrator permissions (or at least Overall/Administer permission, as required to configure the RocketChat plugin) into visiting a crafted HTML page while logged into Jenkins. The attacker-controlled page then submits a forged request to the RocketChat Notifier Plugin endpoint, passing an attacker-specified URL and attacker-specified credential [1][3]. No additional network position or prior authentication to Jenkins is needed beyond the victim's active session.

Impact

A successful CSRF attack causes Jenkins to connect to an attacker-chosen URL using attacker-supplied credentials. Depending on the attacker's goal, this could be used to exfiltrate Jenkins system information, perform a server-side request forgery (SSRF) to internal services, or interact with external systems under the attacker's control [1]. The plugin runs with the privileges of the Jenkins controller, so the impact is limited to actions that the Jenkins process can perform, but can still lead to information disclosure or further lateral movement.

Mitigation

Jenkins RocketChat Notifier Plugin version 1.5.0, released on 2022-03-29, fixes the issue by implementing proper CSRF tokens for sensitive form submissions [2]. Users should upgrade to 1.5.0 or later. No workaround is available if the plugin remains installed and unpatched. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.