CVE-2022-28152

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in Jenkins Job and Node ownership Plugin versions 0.13.0 and earlier [1][2]. This flaw allows an attacker to trick a Jenkins user into making an unintended request that restores the default ownership of a job, bypassing the intended ownership enforcement mechanism [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link or page that, when visited by an authenticated Jenkins user with the necessary permissions, triggers a forged request to the vulnerable endpoint [1][2]. No authentication is required for the attacker; the exploit relies on social engineering to induce the victim to click the crafted link while their browser has an active session with Jenkins [1].

Impact

Successful exploitation restores the ownership of a job to its default (system) ownership, effectively removing any custom owner or permissions assigned to that job [1]. This could allow an attacker to then perform other actions with elevated privileges or bypass security restrictions designed for that job, potentially leading to unauthorized access or modification of job configurations [1]. The vulnerability is rated as medium severity according to the Jenkins security advisory [1].

Mitigation

As of the advisory publication on 2022-03-29, no fix is available for Job and Node ownership Plugin [1][2]. The plugin is listed as having an unresolved security issue [2]. Users are advised to limit access to the Jenkins instance and monitor for any suspicious activity until a patched version is released [1]. There is no known workaround documented in the references [1][2].