CVE-2022-34812

Vulnerability

Overview

The Jenkins XPath Configuration Viewer Plugin version 1.1.1 and earlier contains a cross-site request forgery (CSRF) vulnerability. The root cause is that the plugin does not require a multi-step confirmation or a unique token when handling requests to create or delete XPath expressions, allowing an attacker to forge requests on behalf of an authenticated user [1][2].

Attack

Vector

An attacker can exploit this CSRF vulnerability by tricking a Jenkins administrator or user with appropriate permissions into clicking a malicious link or visiting a crafted webpage while they are logged into Jenkins. No additional privileges on the Jenkins instance are required because the plugin processes the forged request with the victim's credentials [1].

Impact

Successful exploitation allows an attacker to create or delete arbitrary XPath expressions managed by the plugin. While this does not directly allow code execution, it can corrupt configuration views or lead to denial of service if critical expressions are removed, depending on how the plugin is used in the environment [1].

Mitigation

The Jenkins project has released a security advisory addressing this vulnerability. Users should update the XPath Configuration Viewer Plugin to a version newer than 1.1.1, which includes a fix for the CSRF issue. No workarounds are provided; upgrading is the recommended action [1][3].