CVE-2022-34209

Root

Cause CVE-2022-34209 is a cross-site request forgery (CSRF) vulnerability in the Jenkins ThreadFix Plugin, versions 1.5.4 and earlier. The plugin fails to perform a CSRF check on requests that configure a URL endpoint for uploading scan artifacts. This means an attacker can craft a request, without proper validation, that forces the plugin to connect to an attacker-specified URL [1][2].

Attack

Vector and Exploitation To exploit this flaw, an attacker must trick an authenticated Jenkins user with appropriate permissions into clicking a malicious link or visiting a specially crafted web page. The Jenkins instance does not require any additional authentication beyond the victim's existing session. The attacker can specify any arbitrary URL, including internal network addresses or external servers under their control [1]. The ThreadFix plugin uses the Jenkins server's network context when making the connection as described in the plugin documentation [3].

Impact

Successful exploitation allows the attacker to direct the plugin's outgoing connection to a target of their choice. This could be used for server-side request forgery (SSRF) type attacks — probing internal services, scanning ports, or even exfiltrating data by sending requests to attacker-controlled endpoints. The plugin communicates via HTTP/HTTPS and can be abused to interact with any reachable host [2][3].

Mitigation

The vulnerability is patched in ThreadFix Plugin version 1.5.5, which adds proper CSRF protection. Users are strongly advised to upgrade to this version or later. No known workarounds are documented; disabling the plugin is a temporary option if immediate upgrade is not possible [1][2].