CVE-2022-34792
Description
CSRF vulnerability in Jenkins Recipe Plugin 1.2 and earlier allows attackers to forge HTTP requests to an arbitrary URL and parse the XML response.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Jenkins Recipe Plugin 1.2 and earlier allows attackers to forge HTTP requests to an arbitrary URL and parse the XML response.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in Jenkins Recipe Plugin version 1.2 and earlier [1][2]. The plugin does not require a valid CSRF token or other mechanism to validate the origin of HTTP requests, enabling an attacker to craft a malicious request that causes a Jenkins user (with sufficient permissions) to send an HTTP GET request to an attacker-specified URL and parse the response as XML. This affects all versions up to and including 1.2 of the recipe-plugin [3].
Exploitation
An attacker must trick an authenticated Jenkins user (who has at least Job/Read permission on a project that uses the Recipe Plugin) into clicking a crafted link or visiting a malicious web page. The attacker does not need any special network access or write capabilities within Jenkins itself [1]. The exploit triggers the Jenkins server to issue an HTTP GET request to an attacker-controlled URL and then process the returned content (which is parsed as XML) [1].
Impact
Successful exploitation allows the attacker to coerce a Jenkins instance into sending an HTTP request to an arbitrary URL (e.g., for internal service discovery or scanning) and to parse the XML response [1]. While the advisory does not detail the full consequences of XML parsing, it could potentially lead to information disclosure if the response contains sensitive data or further side effects if the XML parser processes external entities (SSRF or XXE) [1]. The attacker does not gain direct code execution, but the ability to control outbound requests and parse XML can be used for reconnaissance or chained with other vulnerabilities.
Mitigation
Jenkins Recipe Plugin 1.3 is not listed in the advisory as fixed; the advisory only states that version 1.2 and earlier are affected [1]. As of the advisory date (2022-06-30), no patched version was available [1]. Users should consider disabling the plugin if it is not required, or applying a workaround such as using the Content-Security-Policy HTTP header or network segmentation to limit outbound requests from the Jenkins controller [1]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:recipeMaven | <= 1.2 | — |
Affected products
2- Jenkins project/Jenkins Recipe Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-hv54-cc8f-42jqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34792ghsaADVISORY
- www.jenkins.io/security/advisory/2022-06-30/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.