CVE-2022-28150

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Job and Node ownership Plugin, affecting versions 0.13.0 and earlier [1][2]. The plugin fails to require a CSRF token or other validation mechanisms when processing requests to change the owners and item-specific permissions of a job. This allows an attacker to trick an authenticated Jenkins user into unknowingly altering ownership and permission settings [1][3].

Exploitation

To exploit this vulnerability, an attacker must craft a malicious web page or link that, when visited by an authenticated Jenkins user with the necessary permissions, triggers an HTTP request to change job owners or permissions. No additional authentication or prior access to Jenkins is required beyond the victim user's session [1][2]. The attacker relies on social engineering to deliver the malicious request (e.g., via email or a third-party site) [3].

Impact

Successful exploitation enables an attacker to change the owner and item-specific permissions of a job. This could lead to unauthorized access or control over jobs, allowing the attacker to modify job configurations, trigger builds, or perform other actions within the context of the victim user's privileges [1][3]. The integrity and confidentiality of job-related data may be compromised, although the exact impact depends on the victim user's permissions [2].

Mitigation

As of the 2022-03-29 security advisory, no fixed version of the Job and Node ownership Plugin has been released [1][2]. The plugin is listed as having an unresolved security issue [2]. Users should consider removing or disabling the plugin until a patched version is available, or apply strict network access controls to Jenkins to limit exposure [1][3].