CVE-2022-28143

Vulnerability

A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to trigger actions without proper authentication [1][2][3]. The vulnerable code path is accessible when a Jenkins user with permissions to configure the plugin visits a malicious page. The plugin does not require a confirmation token for the operations.

Exploitation

An attacker can craft a malicious page that, when visited by an authenticated Jenkins user, performs a connection test to an attacker-specified host using attacker-supplied credentials [1][3]. As part of the same CSRF attack, the attacker can disable SSL/TLS validation for the entire Jenkins controller JVM (see also CVE-2022-28142) [1]. Additionally, the attacker can test a rollback with attacker-specified parameters [1][3]. No special network position or additional privileges are needed beyond the victim user having the ability to configure the plugin.

Impact

Successful exploitation allows the attacker to connect to arbitrary hosts (potentially leading to information disclosure or further attacks), disable SSL/TLS certificate validation (compromising the security of all TLS connections from the Jenkins controller), and test rollback operations with arbitrary parameters. The impact is significant as it can undermine the integrity and confidentiality of Jenkins communications and operations.

Mitigation

Jenkins Proxmox Plugin version 0.7.1 is the first fixed release [2]. Users should upgrade to 0.7.1 or later. If upgrading is not possible, consider disabling the plugin. No workaround is provided in the available references [1][2][3].