CVE-2022-30946
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins Script Security Plugin ≤1158.v7c1b_73a_69a_08 lets an attacker force Jenkins to send arbitrary HTTP requests to an attacker-controlled server.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Script Security Plugin [1][2][4]. In versions 1158.v7c1b_73a_69a_08 and earlier, the plugin does not require a confirmation token or additional validation when processing certain HTTP requests, allowing an attacker to trick a Jenkins administrator or user with sufficient permissions into performing unintended actions. Affected versions: Script Security Plugin 1158.v7c1b_73a_69a_08 and all prior releases.
Exploitation
To exploit this vulnerability, an attacker must convince a target Jenkins administrator (or any user who can access Script Security Plugin features) to click a crafted link, visit a malicious website, or otherwise trigger a cross-site request while authenticated to Jenkins. The attacker can then force Jenkins to send an HTTP request to an attacker-specified web server. The exact sequence: the attacker crafts a malicious HTML page or email that, when the target interacts with it, submits a forged request to the Jenkins instance. If the target is logged in to Jenkins with sufficient privileges, the request is processed by the Script Security Plugin without proper CSRF protection, resulting in an HTTP request to the attacker-controlled endpoint.
Impact
Successful exploitation allows the attacker to have Jenkins send an HTTP request to a server of the attacker's choice. This could be used for reconnaissance, such as exfiltrating information about the Jenkins environment (e.g., the Jenkins version, internal network details, or credentials), or to probe internal services that the Jenkins server can reach. The impact is primarily on confidentiality (information disclosure) and potentially on integrity if the attacker orchestrates interactions with other systems, though the vulnerability itself does not directly provide code execution or data modification on Jenkins.
Mitigation
The Jenkins Script Security Plugin has been fixed in version 1172.v35f6a_0b_8207e, released on 2022-05-17 [1][3]. All users are strongly advised to upgrade to this version or later. The fix introduces proper CSRF protection (likely a token-based validation or referer check) for the vulnerable endpoints. There is no known workaround for unpatched versions; upgrading is the only recommended mitigation. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1172.v35f6a | 1172.v35f6a |
Affected products
2- Jenkins project/Jenkins Script Security Pluginv5Range: unspecified
Patches
135f6a0b8207e[SECURITY-2116]
1 file changed · +7 −13
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java+7 −13 modified@@ -48,7 +48,6 @@ import hudson.util.XStream2; import java.io.BufferedInputStream; import java.io.File; -import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.io.UnsupportedEncodingException; @@ -550,6 +549,9 @@ public synchronized void configuring(@NonNull ClasspathEntry entry, @NonNull App /** * Like {@link #checking(String, Language, boolean)} but for classpath entries. + * However, this method does not actually check whether the classpath entry is approved, + * because it would have to connect to the URL and download the contents, + * which may be unsafe if this is called via a web method by an unprivileged user * (This is automatic if use {@link ClasspathEntry} as a configuration element.) * @param entry the classpath entry to verify * @return whether it will be approved @@ -560,18 +562,10 @@ public synchronized FormValidation checking(@NonNull ClasspathEntry entry) { if (entry.isClassDirectory()) { return FormValidation.error(Messages.ClasspathEntry_path_noDirsAllowed()); } - URL url = entry.getURL(); - try { - if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER) && !approvedClasspathEntries.contains(new ApprovedClasspathEntry(hashClasspathEntry(url), url))) { - return FormValidation.error(Messages.ClasspathEntry_path_notApproved()); - } else { - return FormValidation.ok(); - } - } catch (FileNotFoundException x) { - return FormValidation.error(Messages.ClasspathEntry_path_notExists()); - } catch (IOException x) { - return FormValidation.error(x, "Could not verify: " + url); // TODO NO18N - } + // We intentionally do not call hashClasspathEntry because that method downloads the contents + // of the URL in order to hash it, making it an attractive DoS vector, and we do not have enough + // context here to be able to easily perform an appropriate permission check. + return FormValidation.ok(); } /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-qwgx-mrv5-87j8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-30946ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/05/17/8ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/script-security-plugin/commit/35f6a0b8207ed3a32a85f27c1312da6cd738eeaaghsaWEB
- www.jenkins.io/security/advisory/2022-05-17/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-05-17Jenkins Security Advisories · May 17, 2022