CVE-2022-34780

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins XebiaLabs XL Release Plugin version 22.0.0 and earlier. The plugin fails to require a CSRF token for sensitive form submissions, allowing an attacker to craft a malicious request that executes authenticated actions on behalf of a Jenkins administrator. This is a classic CSRF flaw where the web application does not validate the origin of requests [1][2].

The attack requires two steps. First, the attacker must obtain valid Jenkins credentials IDs through another method (such as a separate vulnerability or social engineering). Second, the attacker tricks an authenticated Jenkins user with permissions to use the XebiaLabs XL Release Plugin into visiting a malicious page. The crafted request then connects to an attacker-specified HTTP server using the obtained credentials IDs, effectively allowing the attacker to capture those stored credentials from Jenkins [2].

The impact is significant: an attacker can exfiltrate credentials stored in Jenkins by redirecting them to their own server. This could lead to further compromise of connected systems that rely on those credentials. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (High) due to the potential for credential theft [2].

As of the Jenkins Security Advisory dated June 30, 2022, users are advised to update the XebiaLabs XL Release Plugin to version 22.0.1 or later, which includes a fix that properly validates CSRF tokens for all form submissions. No workaround is mentioned; updating is the recommended mitigation [1][3].