CVE-2022-34211

Vulnerability

Overview A cross-site request forgery (CSRF) vulnerability exists in the Jenkins vRealize Orchestrator Plugin versions 3.0 and earlier [1]. This flaw allows attackers to trick authenticated Jenkins users into making unintended HTTP POST requests to attacker-specified URLs [2]. The root cause is the lack of proper CSRF protection mechanisms in the plugin's HTTP endpoint handling.

Exploitation

To exploit this vulnerability, an attacker must craft a malicious webpage or link that, when visited by a Jenkins user with the plugin installed, triggers an HTTP POST request to a URL of the attacker's choice. The victim must be logged into Jenkins and have the vulnerable plugin version [1]. No additional authentication is required beyond the victim's current session [3].

Impact

Successful exploitation enables an attacker to send HTTP POST requests to arbitrary internal or external URLs, potentially performing actions on behalf of the victim user. This could include modifying Jenkins configurations, triggering builds, or interacting with other systems reachable from the Jenkins server [2][3].

Mitigation

The Jenkins Security Advisory 2022-06-22 does not explicitly state a fixed version for this plugin [1]. Users should upgrade to the latest version of the vRealize Orchestrator Plugin if available, or consider disabling the plugin until a patched version is released [2].