CVE-2022-30958

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in Jenkins SSH Plugin version 2.6.1 and earlier [1][2]. The plugin does not require a CSRF token or other validation for requests that initiate SSH connections. This allows an attacker to trick a Jenkins administrator or user with appropriate permissions into making an unintended request.

Exploitation

An attacker must first obtain valid credential IDs from Jenkins (e.g., through another vulnerability or information disclosure) [1]. Then, by crafting a malicious web page or link, the attacker can trigger a CSRF request from an authenticated Jenkins user. The request causes Jenkins to connect to an attacker-specified SSH server using the stolen credential IDs, effectively capturing those credentials.

Impact

Successful exploitation allows the attacker to capture Jenkins-stored SSH credentials by having Jenkins connect to a server under the attacker's control [1][2]. The attacker gains the ability to use those credentials for further unauthorized access. The impact is limited to credential disclosure; no remote code execution is directly achieved.

Mitigation

Jenkins SSH Plugin version 2.6.2 and later includes a CSRF protection mechanism [1]. Users should upgrade to version 2.6.2 or newer. No workaround is provided for earlier versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the advisory date.